ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Setting Bind User, Userstore and Group Filters In VIP Enterprise Gateway.

book

Article ID: 161466

calendar_today

Updated On:

Products

VIP Enterprise Gateway

Issue/Introduction

This article discusses the configuration of the Bind User and User Search Criteria in VIP Enterprise Gateway.

Resolution

To authenticate against your user store, VIP Enterprise Gateway needs to perform to two things:
  1. Connect to the user store.
  2. Search and filter users who have access to VIP in the user store.
Both of these are discussed below.
 
CONNECTING TO THE USER STORE
 
VIP Enterprise Gateway uses a service account to bind (connect) to the user store. Binding is the step where the LDAP server authenticates the VIP EG and, if successfully authenticated, allows VIP EG access to the LDAP server based on the set privileges.
 
Prior to configuring VIP Enterprise Gateway, create the bind username in your user store. This is typically a special organisational unit where service accounts are stored.

For example:

                Bind Username: svc_symcVIP
                Location: acme.com/users/service
 
The user can have read-only access to the userstore, or write access to reset expired passwords.
 
VIP Enterprise Gateway expects the bind user to be entered in Distinguished Name (DN) notation. For example,
                CN=svc_symcVIP,OU=service, OU=users, DC=acme, DC=com
 
VIP requires the user's Distinguished Name (DN). Obtain the distinguished name by querying the userstore. In Active Directory, this can be done in two ways:
 
1.  Using the command prompt to find the DN of the bind user (in this example, svc_symcVIP):
  • Open a command prompt
  • Execute the command dsquery user –name svc_symcVIP
  • This will return the Distinguished Name of the user "CN=svc_symcVIP,OU=service, OU=users, DC=acme, DC=com". Add this information to the user store configuration
 
2.  Using the  Active Directory Users & Computers to find the DN of the bind user (in this case svc_symcVIP).
  1. Select Active Directory Users and Computers from Start -> Programs -> Administrative Tools.
  2. Click View, then select Advanced Features.
  3. Locate and double-click on the user object (e.g. svc_symcVIP)
  4. Select the Attribute Editor tab.
  5. Locate and double-click the entry distinguishedName
  6. A dialog box will display the Distinguished Name e.g. "CN=svc_symcVIP,OU=service, OU=users, DC=acme, DC=com". Add this information to the user store configuration
 
SEARCHING AND FILTERING USERS WHO HAVE ACCESS TO VIP
 
VIP Enterprise Gateway can be configured to allow all users access to VIP, limited to specific groups, or other conditions. In this section, some common scenarios are discussed.
 
VIP needs to know the Base Distinguished Name or Base DN. The Bind DN is the latter part of the Base DN. The Base DN tells VIP EG the location of the user store where user objects are stored.

For example:
Bind DN:  CN=svc_symcVIP,OU=service, OU=users, DC=acme, DC=com
Base DN: OU=users, DC=acme, DC=com
 
VIP Enterprise Gateway will use the bind DN information to connect to the base DN "OU=users, DC=acme, DC=com". All objects from there down will be searched.
 
FILTERING USERS.
 
By default VIP EG will match all user objects using one of the following two LDAP search string to identify all objects that are considered people, allowing all users access to VIP and the resources protected by VIP.:
  1. For generic LDAP:  (&(uid=%s)(objectclass=organizationalPerson))
  2. For Active Directory:  (&(objectClass=user)(objectCategory=person)(sAMAccountName=%s))
Additional filters can be created to filter the results and limit access to VIP protected resources to specific groups. For example, to access a VPN protected by VIP, a user might have to be a member of the "Secure VPN" group. To do this, add the group membership to the user filter string. Because User filter is an LDAP search string, the group must be specified by the groups Distinguished Name.
 
Using the command prompt to find the DN of the group, (in this example, Secure VPN):
  • Open a command prompt
  • Execute the command dsquery group –name 
  • This will return the Distinguished Name of the group e.g. "CN="Secure VPN",OU=groups, DC=acme, DC=com".
Hence. if the group Secure VPN is located in acme.com/groups/, the group Distinguised Name is CN="Secure VPN",OU=groups, DC=acme, DC=com.
 
Using the information in this example, the query to add users to the group would look like this:
            (&(objectClass=user)(objectCategory=person)(memberOf=CN="Secure VPN",OU=groups, DC=acme, DC=com)(sAMAccountName=%s))
 
The group query above will only include users who are direct members of the group, members of nested groups are not included.
To include nested groups, include an additional parameter to the query, 1.2.840.113556.1.4.1941.
 
Using the information in this example, adding all members of Secure VPN and all users in nested groups would look like:
                (&(objectCategory=person)(ObjectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN="Secure VPN",OU=groups, DC=acme, DC=com))(sAMAccountName=%s))
 
LDAP filters can be very complex queries, allowing for very specfic access. For example, to designate a VIP user that is a member of either the Secure VPN group or Full Time Employees group, the LDAP user filter could look like:
            (&(objectClass=user)(objectCategory=person)(sAMAccountName=%s)(|(memberOf=CN="Secure VPN",OU=groups, DC=acme, DC=com)(memberOf=CN="Full Time Employees",OU=groups, DC=acme, DC=com)))
 
For more information about the Microsoft tools mentioned in this article please see the following links: