Single Sign On with LDAP integration configuration

book

Article ID: 48910

calendar_today

Updated On:

Products

APPLICATION DELIVERY ANALYSIS SUPERAGENT CA Infrastructure Performance CA NetVoyant (NetQoS / NV)

Issue/Introduction

Description:

Customer is looking to have SSO integrate with their LDAP system. This is a checklist of what information needs to be gathered ahead of time in order for NetQoS Support to be able to help configure LDAP through SSO.

Solution:

General information about the LDAP environment

  • Direct Access to one of the LDAP administrators during the configuration process.

  • Type of LDAP implementation, e.g. using AD, OpenLDAP, etc.

  • Which LDAP server to use. Currently the SSO tool limits you to a single LDAP server

    • This includes connectivity to the LDAP server. The normal LDAP port is TCP 389. LDAP over SSL default is TCP 636.

  • A username and password we can use to log in. A temporary account is fine if it has the same properties as the users that will be signing in through SSO. When configuring the tool, Support will often need to constantly re-enter the username/password and having an account we have full access to makes this process much faster.

Technical information

  • DN of the search domain. SSO can access a single search domain, but it can search all entries under it, so this needs to be the highest level DN that will encompass all of the users you want to be able to log in.

  • DNs of specific users that they want to have access.

  • The search string that used to identify users. This will be what the user enters in username field of the product when authenticating, e.g. sAMAccountName, Alias, guid, etc.

  • If their LDAP server uses SSL, you need to have the correct security certificates available in order for it to work.

  • If you want to use groups (e.g. some users get different permissions assigned automatically), these *MUST* be configured already. SSO is going to SSO LDAP server to authenticate, and if it is not already setup in a way such that the users are grouped how you want them to be grouped, the SSO tool won't be able to help you.

    • The most common request is to make subset of users an admin, while others get user access. In order to do this, you need to have the users defined in such a way that SSO can search for it. Here's an example. You can see they have defined each user to be either a member of CN=NETQOS_USERS (for user access), or CN=NETQOS_ADMINS (for admin access). If this was not already defined within the LDAP system, we would not be able to do an implementation like this.

<LDAPGroups> <Group searchTag="memberOf" searchString="CN=NETQOS_USERS,CN=Users,DC=netqos,DC=local"
user="{sAMAccountName}" passwd="" userClone="nquser"/> <Group searchTag="memberOf"
searchString="CN=NETQOS_ADMINS,CN=Users,DC=netqos,DC=local" user="{sAMAccountName}"
passwd="" userClone="nqadmin"/> </LDAPGroups>

Environment

Release: RAIB1H99000-9.1-Network Flow Analysis-Interface Bundle-Hardware
Component: