This procedure is designed to integrate Mirosoft Active Directory as an authentication mechanism and identity provider for the CA API Gateway appliance. This will allow users within an Active Directory to authenticate against the Gateway appliance via console or SSH connections in order to access the Gateway configuration menu.
- Windows Domain should have Services for Unix or a similar extension to the schema incorporated.
- Create a new user through the Microsoft Management Console's (MMC) Active Directory Users and Computers component.
- Define the user as having no password expiry and being unable to change their own credentials.
- Set the UNIX attributes for the user to 499 for UID and GID.
- Set the home directory to /dev/null and shell to /bin/false.
- Import a certificate into the Domain Controller for TLS communications between the Gateway and the AD.
Configuring the required user and group.
- Configure the user and group objects for the existing Active Directory entries for POSIX compliance:
- Open the Active Directory Users and Groups management .
- Modify a new or existing group object to function as a POSIX group.
- Right-click and select Properties.
- Open on the UNIX Attributes tab.
- Populate the NIS Domain and GID (Groupd ID).
- Configure a user object to function as a POSIX user:
- Open the tab that says UNIX Attributes.
- Populate the NIS Domain, UID, GID, and Home Directory.
- Add the user as a member of the UNIX group.
- Return to the Group Properties dialog for the Gateway configuration group.
- Click Add to add the user to this group.
- Select the user created and click Add.
- Click OK to save and confirm the changes.
Configuring the Gateway authentication method.
- Log into the Gateway as the ssgconfig user through direct console, SSH, or ILOM console redirection.
- Select Option #1: Configure system settings.
- Select Option #4: Configure authentication method.
- Select Option #3: LDAP(S) only.
- Specify "Yes" for an encrypted connection, or "No" for an unencrypted connection.
- Specify the fully qualified domain name or IP address of the LDAP server.
- Specify a port number to use if different from the default.
- Specify a base search distinguished name (DN).
- Specify anonymous binding. Anonymous binding allows the Gateway to attempt to connect to the LDAP server without providing administrative credentials. An LDAP server can be configured to allow read-only access to anonymous users. Please consult your Active Directory or LDAP administration to verify if this is required. If you can use anonymous binding, steps 10 & 11 can be skipped.
- Specify the bind DN to provide read access to the LDAP.
- Specify the bind password for the above bind DN.
- Specify the name of the group encapsulating users authorized to interact with the Gateway configuration menu.
- Specify the GID for the group that should be granted access to the Gateway.
- Choose the hashing algorithm used by the LDAP server.
- Specify the object type that contains the credentials for a user.
- Specify the object type that contains the group assignment for a user.
- Specify the object type that contains the shadow entries for a user.
- If you opted to use LDAPS, you will be presented with several extra prompts. If not, you can skip to step 28.
- Specify if the certificate for the LDAPS server can be reached via URL. If yes, provide the URL. If not, provide the file path.
- If you require a customized TLS configuration for connecting to the LDAPS server, specify "Yes." If not, you can skip to step 28.
- If you require a specialized process for handling server certificates, specify "Yes." If not, you can skip to step 28.
- Choose an option for handling the server certificate from the LDAPS server.
- If you require Certificate Revocation List checking, specify "Yes." If not, you can skip to step 28.
- If you require a customize client authentication configuration, specify "Yes." If not, you can skip to step 28.
- Specify the file path to a PEM-formatted client certificate.
- Specify the file path to a PEM-formatted client private key.
- If you require a customized PAM login attribute, specify "Yes." If not, you can skip to step 28.
- Specify the PAM login attribute.
- You will be presented with a summary of the configuration of the Gateway's LDAP(S)-based authentication scheme. Verify the results and press <Enter> to accept.
- Select Option X: Exit menu.
Mapping attributes between LDAP(S) and AD.
If your AD infrastructure is different from the default configuration, you may require access to a Domain Controller in order to view and/or modify a users' attributes. Additionally, the properties a generic UNIX LDAP server uses to identify individual user attributes are not named similarly to a Microsoft AD LDAP. In order to facilitate this, values will need to be mapped to bridge the gap between the values expected by the UNIX LDAP and those returned by the AD LDAP.
- Select Option #3: Use a privileged shell (root).
- Open /etc/ldap.conf in a text editor.
- Remove the comment delimiter (#) the following lines
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
nss_override_attribute_value loginShell /bin/bash
nss_map_attribute uidNumber uidNumber
- Review the above attributes with your AD administrators. The values for these objects may need to be changed in the Gateway in order to accommodate for an organization's unique AD infrastructure.
Applying the configuration method to the Gateway
Once the above procedures have been completed, the Gateway appliance will need to be restarted for the changes to take effect. Please restart the appliance and verify proper functionality.