Setting Bind User, Userstore and Group Filters In VIP Enterprise Gateway.
Updated On:01-10-2019 11:12
VIP Enterprise Gateway
This article discusses the configuration of the Bind User and User Search Criteria in VIP Enterprise Gateway.
To authenticate against your user store, VIP Enterprise Gateway needs to perform to two things:
Connect to the user store.
Search and filter users who have access to VIP in the user store.
Both of these are discussed below.
CONNECTING TO THE USER STORE
VIP Enterprise Gateway uses a service account to bind (connect) to the user store. Binding is the step where the LDAP server authenticates the VIP EG and, if successfully authenticated, allows VIP EG access to the LDAP server based on the set privileges.
Prior to configuring VIP Enterprise Gateway, create the bind username in your user store. This is typically a special organisational unit where service accounts are stored.
Bind Username: svc_symcVIP
The user can have read-only access to the userstore, or write access to reset expired passwords.
VIP Enterprise Gateway expects the bind user to be entered in Distinguished Name (DN) notation. For example,
VIP Enterprise Gateway will use the bind DN information to connect to the base DN "OU=users, DC=acme, DC=com". All objects from there down will be searched.
By default VIP EG will match all user objects using one of the following two LDAP search string to identify all objects that are considered people, allowing all users access to VIP and the resources protected by VIP.:
For generic LDAP: (&(uid=%s)(objectclass=organizationalPerson))
For Active Directory: (&(objectClass=user)(objectCategory=person)(sAMAccountName=%s))
Additional filters can be created to filter the results and limit access to VIP protected resources to specific groups. For example, to access a VPN protected by VIP, a user might have to be a member of the "Secure VPN" group. To do this, add the group membership to the user filter string. Because User filter is an LDAP search string, the group must be specified by the groups Distinguished Name.
Using the command prompt to find the DN of the group, (in this example, Secure VPN):
Open a command prompt
Execute the command dsquery group –name
This will return the Distinguished Name of the group e.g. "CN="Secure VPN",OU=groups, DC=acme, DC=com".
Hence. if the group Secure VPN is located in acme.com/groups/, the group Distinguised Name is CN="Secure VPN",OU=groups, DC=acme, DC=com.
Using the information in this example, the query to add users to the group would look like this:
LDAP filters can be very complex queries, allowing for very specfic access. For example, to designate a VIP user that is a member of either the Secure VPN group or Full Time Employees group, the LDAP user filter could look like:
(&(objectClass=user)(objectCategory=person)(sAMAccountName=%s)(|(memberOf=CN="Secure VPN",OU=groups, DC=acme, DC=com)(memberOf=CN="Full Time Employees",OU=groups, DC=acme, DC=com)))
For more information about the Microsoft tools mentioned in this article please see the following links: