Searching...

Matching results

    LDAP

    LDAP authentication includes support for secure LDAP and integration into the AMM that allows a remote user group to be configured.

    This remote user group is configured using a service account with limited permissions, which allows the AMM to authenticate with the remote directory server.

    The user will login to the AMM specifying the remote user group and their LDAP credentials. The AMM will validate the username and password combination with the directory server that was specified in the remote user group. If the directory server is able to correctly validate the user credentials, then access to the AMM will be granted.

    The following subsections provide information on how to setup LDAP.

    Requirements

    The requirements for setting up LDAP are as follows:

    1. Following information must be provided by the LDAP administrator.
      • Search Base
      • Search Filter
      • LDAP Service User and password
      • Server Address and port for each LDAP server to be configured.
      • Secure channel type. Either StartTLS or SSL.
    2. If SSL is to be used, then the LDAP server must be setup with an X.509 SSL server certificate and have SSL enabled on port 636 (default)(or on port 389). If the LDAP server is not using a commercial CA signed certificate, the administrator needs to install the CA root certificate in the AMM's database of trusted certificates. Contact Technical Support for assistance.

    Limitations

    The limitations are as follows:

    1. Maximum ten LDAP servers can be configured.
    2. Multi factor authentication does not apply for remote users.
    3. Remote users do not have access to Admin > Users.
    4. Remote users cannot use the Forgot Password feature. It only works for local users. Remote users will have to contact their IT department.
    5. Remote users cannot have a unique dashboard and will also not have access to Options > Preferences. Instead they will use the dashboard and preferences as defined by the Remote User Group. If you need different levels of user rights for different users, then you will need to create multiple Remote User Groups with different user rights and then ensure that the correct users are in the correct groups.
    6. LDAP query must only return a single result, otherwise the authentication will fail

    Guidance When Upgrading to AM/AMM 2.17.5 with Existing LDAP Users

    If there are existing LDAP users, then the following directions should be incorporated into the upgrade process when upgrading to AM/AMM 2.17.5.

    1. When upgrading to AMM 2.17.5, any LDAP query previously defined must be updated to use Search Base and Search Filter.

    Configuration

    Creating Remote User Group

    Before any LDAP remote user can login into AMM, it is necessary to configure the AMM to be able to authenticate with a remote LDAP server. This configuration is done by adding a new remote user group on the system, under the Admin > User Management > Users screen.

    This remote user group will store the LDAP server information, such as ip-address, port, etc. It will also store privileges and preference settings that will be used for incoming remote users.

    Remote Server Identification

    • Remote User Group Name*: This is the group name that is used by users to identify that they are using a remote directory service for user authentication. This is not an LDAP domain name.
    • Add LDAP Server: Press to add the fields for additional LDAP servers.

    • Search Base*: Defines the location within the directory tree where the search will start. E.g. OU=people,DC=company,DC=local.
    • Search Filter*: Criteria used to specify the scope of the search operation within the LDAP directory. E.g. (&(objectClass=user)(sAMAccountName=?)(memberOf=CN=AMM Admins,OU=groups,DC=company,DC=local))
    • LDAP Service User: The user Distinguished Name (DN) used inside LDAP that will give permissions to do queries. E.g. cn=ldapadmin,dc=ammtestldap,dc=com.
    • Password: The password for the LDAP Service User.
    • Server Address*: The LDAP server hostname or ip address
    • Port: The LDAP server port. If not provided, it will default to 389 for a Start TLS and None connection type or 636 for a SSL connection type.
    • Secure Channel: Options are LDAP over TLS (Start TLS), or LDAPS (SSL) or None. It is highly recommended that either Start TLS or SSL is used to provide a secure environment.
    • Test Connection: Allows the user to verify the provided information with the LDAP server. It does not affect the status information.

    Successful connection to LDAP server

    Successful connection to LDAP server

    Failed connection to LDAP server

    Failed connection to LDAP server

    • Show Status Information:

      • Last Successful Authentication: Shows the date and time of the last successful authentication to the configured server. If it shows N/A, then the AMM has not yet performed an authentication to the configured server.
      • Last Server Failure: Shows the date and time of the last communication failure to the configured server. If it shows N/A, then the AMM has not yet attempted to communicate with the configured server.

    • Customer Group: Select the AMM customer group that the remote user will belong to. This group contains the gateways that the remote user will have access to on the AMM.

    • Remote User’s Expiry Date: The date for when the remote user group will no longer be able to login to the AMM.

    Note: When an expiry date is set for the remote user group, then all remote users that are part of this remote user group will have this expiry date.

    A Remote User Group must have at least one server entry, otherwise the change will not be saved.

    The order in which the LDAP servers are entered, is the order in which they will be saved. Initially the active server will be the first one saved. The active LDAP server is indicated by the LDAP Server in Use label. If it has a green square besides this label, then communications and authentications to the LDAP server from the AMM was working when last tried.

    E.g. This example shows that the ldap server openldaptest1.test.airlink.com is the active server and that its last communication from the AMM to the ldap server was successful as indicated by the green square. The Last Server Failure shows there was a communication failure at that date/time, but since then the green shows that the failure has cleared.

    Whenever there is a failure of communication (i.e. connection timeout), the square besides the LDAP Server in Use will turn red. The next server in the list will be tried. If it is able to perform a successful authentication or receives a authentication failure such as user using wrong credentials, then the server will be designated the active one and the square besides the LDAP Server in Use will turn green. If it fails with a communication timeout, it will continue the same process for each server in the list until it reaches the last server. If the last server fails, it will retry from the top of the list. The Last Server Failure under the Show Status Information will be updated with the date/time of the communication failure for each failed server.

    Logging in using a Remote User Group

    If a user wants to login to the AMM using a remote user id, then the following pattern must be used in the User Name field of the login screen.

    {remote user group name}/{ldap user name}

    E.g.

    The AMM will use this information to retrieve the LDAP server information and the credentials will be authenticated on the LDAP server.

    Once logged in as a remote user, any reference to User will display in the format {ldap_user_group}/{userid}.

    Configure an AMM for LDAP user authentication:

    Administrating a Remote User Group

    If the administrator deletes the Remote User Group, all associated remote users with an active session will be automatically logged out and no longer able to log back in. A warning popup will show to confirm that this is the desired action.

    If the administrator changes any settings in the Remote User Group record, any remote users associated to that Remote User Group record will be automatically logged out, and prompted to login again. A warning popup will show to confirm that this is the desired action.

    If the Remote User Group Name is changed, the remote user will need to login using the new Remote User Group Name.

    User Activity Logs

    When a Remote User Group is created, modified or deleted, an entry will be logged in the Admin > User Management > User Activity.
    Event
    Created remote user group ldap_user_group
    Modified remote user group ldap_user_group
    Deleted remote user group ldap_user_group

    Any actions taken by a remote user will be logged in the User Activity identified under the User column as {ldap_user_group}/{userid}.

    TOP