LDAP Directories
Connector name |
|
Connector type | Executable |
Type (UI field value) | LDAP Directory Service |
Target system versions supported / tested | LDAP v2 and LDAP v3 directories |
Connector status / support | Bravura Security-Verified This connector has been tested and is fully supported by Bravura Security. |
Bravura Security Fabric performs operations on LDAP v2 and LDAP v3 directories by directly binding to the LDAP or LDAPS service and issuing LDAP commands to modify user objects. The LDAP bind operation itself is used to validate current passwords, and LDAP search is used to enumerate users.
Bravura Security Fabric can create, delete, enable, disable, modify, rename and move LDAP users in any specified directory or OU. It creates new LDAP users by cloning existing ones, copying and adjusting attributes in the process. It can also manage the membership of LDAP users in LDAP groups.
The following Bravura Security Fabric operations are supported by the agent for LDAP Directories (agtldap):
administrator verify password
get server information
user change password
expire password
check password expiry
administrator reset password
unexpire password
unlock account
user verify password
create account
delete account
disable account
enable account
create group
delete group
add user to group
delete user from group
add group to group
remove group from group
add owner(user) to group
remove owner(user) from group
add owner(group) to group
remove owner(group) from group
check account enabled
check account lock
lock account
move contexts
rename account
update attributes
list account attributes
List:
accounts
attributes
groups
members
computer objects
persistent listing
For a full list and explanation of each connector operation, see Connector operations.
The following sections show you how to:
Export and install SSL certification files
Define an account for the target system administrator in an LDAP Directory
Set the LDAP Directory Service target system address in Bravura Security Fabric
Create template accounts using the Netscape Console
Handle account attributes
Manage groups
Handle LDAP referrals
This chapter also describes how Bravura Security Fabric handles special attributes, used when creating or modifying accounts on an LDAP Directory Service target.
Preparation
Before you begin, you must:
Know the name of each LDAP tree and the top-level context in which Bravura Security Fabric performs operations.
Document a DNS server name and TCP port number for the master LDAP service for each directory.
Create an administrative account in the LDAP tree that can list users in the relevant contexts and reset passwords for every user object in the relevant contexts. See Configuring a target system administrator below for details..
Create at least one test account in the tree. More accounts, in multiple contexts, are better.
If you have an LDAP server set up for SSL encryption, ensure that the required server authentication certificate is imported into a trusted root certificate store on the instance server. See Exporting and installing SSL certification files below for details.
Determine how Bravura Security Fabric identifies users in the LDAP tree. Bravura Security Fabric can do this based on one of two mutually-exclusive assumptions:
Each user has at most one account in the LDAP tree. Ideally, but not necessarily, the common name uniquely identifies each user.
A user may have multiple accounts in different contexts in the tree, but the common name uniquely identifies the user.
Warning
Ensure that your LDAP client does not hash new passwords before sending requests to the LDAP server, if:
You will be implementing transparent synchronization
Bravura Security Fabric will be used to verify passwords on the LDAP target
If you do not want passwords to be transmitted in plaintext, it is highly recommended that you enable SSL on the LDAP server.
Configuring a target system administrator
Bravura Security Fabric uses a designated account on the LDAP Directory Service target system to create and manage objects.
The target system administrator must be a member of the configuration administrators group. Ensure that you set and note the account’s password. You will be required to enter the login ID and password when you add the LDAP target system to Bravura Security Fabric .
You must use a fully qualified name for the administrator ID.
For example, on Netscape Directory Server, the built-in administrator account’s fully qualified name is:
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
Exporting and installing SSL certification files
If you want to communicate with an LDAP server configured for SSL encryption, you must obtain the necessary certificate file from the LDAP server and install it into a trusted certificate store on your instance server.
Before you start, ensure that the LDAP server is configured for SSL and has a server authentication certificate to deploy onto the instance server.
It is important to ensure that the Network Service account on the LDAP server has read permissions for the server authentication certificate.
Please refer to the following link for more information on setting up LDAP over SSL:
https://msdn.microsoft.com/en-us/library/cc725767(v=ws.10).aspx\#BKMK\_1
To obtain the SSL certificate from the LDAP server, follow the steps below:
On the LDAP server, go to Start > Run and enter "mmc".
In the console, go to File > Add/Remove Snap-in.
Select the Certificates snap-in, click Add, then OK.
Select Computer account, then click Next .
Select Local computer, then click Finish.
On the console, expand the Certificates (Local Computer) drop-down.
Navigate to the Personal > Certificates folder.
Locate the server authentication certificate, right-click the certificate, and select Copy.
Right-click on the Trusted Root Certification Authorities > Certificates folder and select Paste.
From the same folder, locate and right-click the certificate you pasted. Select All Tasks > Export.
When prompted on the Certificate Export Wizard, select Yes to export the private key, then click Next .
The format should default to Personal Information Exchange. Leave the default selections and click Next .
Enter a password for the private key and click Next .
Specify a file location for the certificate file, then click Next .
Finish the export.
If you cannot or prefer not to use a private key, you can use one of the following methods:
Request from their LDAP administrator to request .cer files for the LDAP Server from an LDAP administrator in your organization.
Obtain and extract each certificate in the chain using wget. Contact Support for assistance with this method.
Use the process detailed in Microsoft Documentation at Export trusted client CA certificate chain for client authentication - Azure Application Gateway. See the sections on:
Exporting the server certificate from Personal\Certificates as a base-64 encoded .cer file without private key.
From that exported certificate, extracting all other certificates in its certificate chain as base-64 encoded .cer files without private key.
To install the SSL certificate onto the instance server, follow the steps below:
Copy the exported certificate file (.pfx) from the LDAP server onto the instance server (any directory).
Double-click the file, select Local Machine, then click Next .
Confirm file to import, then click Next .
Enter the password for the private key (set from export process above), then click Next .
Select Place all certificates in the following store, and click Browse.
Select the Trusted Root Certification Authorities certificate store, then click Next .
Finish the import.
Targeting LDAP directories
For each LDAP sub-tree, add a target system (Manage the system > Resources > Target systems):
Type is LDAP Directory Service, listed under "Network Operating Systems" in the drop-down list.
Address uses syntax described in Table 1, “LDAP target address configuration”.
The Administrator ID and Password identify the administrative account that you created earlier Configuring a target system administrator.
Be sure to enter a fully qualified name for the administrator ID.
The full list of target parameters is explained in Target system options .
Option | Description |
|---|---|
Options marked with a | |
Server | The FQDN, host name, or IP address of the LDAP server. (key: server) |
Base DN | The top level context. (key: basedn) |
Port | The port to connect to (default: 389 ). Use the standard port 636 when SSL is enabled. (key: port) |
Script file | The filename of a script that sets additional attributes. See LDAP Attribute Scripts to learn how to write this script file. (key: script) |
Connection over SSL | Enables an SSL connection when connecting to the target system server. Default is "false". (key: ssl) |
Circumvent certificate validation | Allows SSL connection to the target system server without validating the SSL certification first. (key: sslNoCertValidation) |
Authentication Type | The type of authentication mechanism used by the LDAP server:
|
OUs to list users from | List only those users who exist in one or more containers. See Targeting a specific container or containers for details. (key: accountOUList) |
OUs to list groups from | List only those groups that exist in one or more containers. See Targeting a specific container or containers for details. (key: groupOUList) |
OUs to exclude from listing | Exclude certain OUs to further restrict listing. See Targeting a specific container or containers for details. (key: excludeOUList) |
Persistent list search wait time (in seconds) | The interval time in seconds that the connector will wait to search for changes in the native target. The default value is 7,200 seconds (2 hours). If this value is set too small for a large native target, the connector may not be able to retrieve changes completely in the native target. Setting the value too small will also impose excess load on related services, which drag down the system performance. (key: persistentSearchWait) |
The LDAP target system address syntax is as follows:
{server=(<FQDN or host name> | <IP address>);
basedn=<OU>;
[port=<port number>;]
[script=<script file name>;]
[ssl=<true|false>;]
[sslNoCertValidation=<true|false>;]
[authMethod=<SIMPLE|NEGOTIATION>]
[accountOUList=<OU>;<OU>;... | include:<file name>;]
[groupOUList=<OU>;<OU>;... | include:<file name>;]
[excludeOUList=<OU>;<OU>;... | include:<file name>;]
[persistentSearchWait=<seconds>;]
}Targeting a specific container or containers
You can restrict Bravura Security Fabric to list only those user and group objects that exist in one or more named containers; for example, if your LDAP Directory Service server is divided into organizational units. To do this, on the Target system address configuration page, specify:
OUs to list users from
OUs to list groups from
These fields allow multiple values. To fill in multiple values, select List from the drop-down list box displaying in front of these fields, and use More button to add additional input box(es) when more than one value is given. Value in each input box is treated as a single value, for examples,
CN=myusers,DC=example,DC=com
*,OU=Groups,DC=example,DC=com
OU=people,OU=hr,DC=example,DC=com
You can also exclude OUs to further restrict the listing of users. This option will remove all users and groups that match the OU listed. To do this, specify:
OUs to exclude from listing
When the exclude OUs option and any of the list OUs options are used together, the listing process will list OUs first and then remove objects that match the exclude criteria.
If there are many OUs to list, there is an option to include all OUs in a file. To use the file, select the File option from the drop-down list and specify file name in the field.
These files must be located in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory and contain a list of OUs to list or exclude users from. They cannot be combined into one file and must be separate.
For listing users from OUs:
# KVGROUP-V2.0
listOUs = {
"OU=people,OU=it,DC=example,DC=com";
"OU=people,OU=hr,DC=example,DC=com";
}For listing groups from OUs:
# KVGROUP-V2.0
listGroupOUs = {
"OU=Groups,OU=it,DC=example,DC=com";
"OU=Groups,OU=hr,DC=example,DC=com";
}For excluding OUs:
# KVGROUP-V2.0
excludeOUs = {
"OU=disabled,OU=it,DC=example,DC=com";
"OU=disabled,OU=hr,DC=example,DC=com";
}The connector will not list any OU if an OU file is empty.
Creating a template account
Use the following procedure to create a user account in a LDAP server or domain. See your LDAP system administrator or LDAP documentation for more information.
To create a template LDAP user account:
From a Windows workstation, log into Netscape Console by selecting Start > Programs > Netscape Server Products > Netscape Console.
Select the Users and Groups tab.
Select New User from the drop-down list at the bottom right section of the Netscape Console dialog box.
Click Create to display the dialog box.
Select an appropriate organizational unit (for example, Users or People) and click OK to display the dialog box.
Type the new user’s details in the appropriate fields.
Select the Licenses tab.
Click the appropriate checkboxes to allow the user access to Netscape products.
Click OK.
Handling account attributes
This section describes the attributes that Bravura Security Fabric uses to compose values, set flags, or control behavior in LDAP Directory Service. For information about the native LDAP Directory Service attributes managed by Bravura Security Fabric , consult your LDAP Directory Service documentation.
_firstpartofcn The pseudo-attribute _firstpartofcn determines the new user’s common name (cn) in LDAP.
_groups A multi-valued pseudo-attribute that determines a user’s group membership. The attribute value is the group’s DN (Distinguished Name).
By default, Bravura Security Fabric uses the group’s uniqueMember attribute as the attribute that holds its members. You can specify an alternate value in the LDAP attribute script file.
manager By default, this is mapped to the ORGCHART_MANAGER profile attribute.
Bravura Security Fabric can use this account attribute to build and maintain the OrgChart.
Learn more about writing an LDAP attribute script file.
Allowing users to specify the container DN
You can configure Bravura Security Fabric to use a profile/request attribute to prompt users for the destination container when creating or moving accounts on a target system that supports contexts.
When the Profile/request attribute to use as the container DN option is configured on the Target system information page, users can:
Set the destination container when creating new accounts.
Users do this by setting the profile/request attribute value in the request form. By default, Bravura Security Fabric creates new accounts in the same container as the template. Without the profile/request attribute, you may need to set up identical templates for each container.
If enabled when setting the target system address, Bravura Security Fabric can also create a container if a non-existing one is specified.
Move existing accounts on the target system to a different container.
Users do this by setting the To container value – which is actually the profile/request attribute, but with a different name – on the move accounts page. Bravura Security Fabric only displays the move operation (the Move button) for users with accounts that can be moved between containers.
To allow users to select a container for a create account or move context operation:
Add a profile attribute to provide a place to prompt the user for this information. To learn how to do this, see Profile and request attributes .
It is recommended that you configure the profile attribute to have a set of restricted values, so that the requester or product administrator can select from a drop-down list.
Ensure that you set read/write permissions for the profile attribute.
To learn how to do this, see Attribute groups .
Provide a group of users the "Move user from one context to another" rule.
To learn how to do this, see Access to user profiles .
Update the Target system information page by typing the name of the profile attribute in the Profile/request attribute to use as the container DN field.
This allows Bravura Security Fabric to use the profile attribute for this purpose.
Managing groups
Note
Added group member support for differing objectClass attributes in Connector Pack 4.5.0.
You can configure Bravura Security Fabric ’s workflow engine to manage group membership on LDAP systems. You can also map profile attributes to the _groups pseudo-attribute on the target so that users can select groups when making a request. However, this method is currently incompatible with group management through Bravura Security Fabric ’s workflow configuration. Changes made in one method are not updated in the other.
Group membership management for groups of objectclass: posixGroup can be performed through Bravura Security Fabric ’s workflow configuration.
In multiple object LDAP schema environments, multiple group members of differing objectClass attributes may also be added to or removed from LDAP groups. Multiple objectclasses may be specified within " groups " in the " address " kvgroup in the LDAP attribute script file.
For more information see Account attributes and Groups.
Updating group attributes
Group attributes may be mapped for the _container_dn pseudo-attribute on the LDAP Directory Service server so that users can move a group to a different container to move contexts.
The _container_dn group attribute is mapped to the GROUP_OU resource attribute by default. The group attribute may be overridden to allow for a new container to be specified when updating the group by setting the value for ’Action when updating group’ from ’None’ to ’Set to specified value when mapped profile attribute changes’.
The GROUP_OU resource attribute is then added as a member for the GROUP_INFO_UPDATE resource attribute group. A user may then specify a new container for the group when making a request to update attributes for a group.
Group attributes may also be mapped for an attribute on the LDAP target system such as cn so that users can rename a group id. In this case, a new resource attribute may be added for the custom attribute and added as a member to the GROUP_INFO_UPDATE resource attribute group. A custom cn group attribute is then added for the LDAP Directory Service target and mapped to the resource attribute along with the value for ’Action when updating group’ being set to ’Set to specified value when mapped profile attribute changes’.
A user may then specify a new group id for the group when making a request to update attributes for a group.
Configuring agent behavior
When listing from an LDAP Directory Service target that supports paging, agtldap uses a default page size of 500. This page size must either be equal to or less than the size limit that is defined on the LDAP server. If the page size is greater than the size limit on the LDAP server, agtldap does not use paging.
Paging enables a specified number of users to be listed "per page" rather than at the same time. This feature allows clients connecting to the LDAP server to get around restrictions limiting the number of users that can be returned from a query. A paged search is generally faster than a non-paged search.
To change the page size used by agtldap , modify the address section of the sample agtldap configuration file to include the following key:
"" "" = {
"address" "" = {
...
"pageSize" = "<int>"
...
}
}where <int> is the page size limit.
Most LDAP severs such as IBM Directory Server and OpenLDAP use paging; however, some servers such as Netscape and SunOne Directory server do not. To determine whether your LDAP server uses paging, check if 1.2.840.113556.1.4.319 is included as a supported control. For details, visit: http://www.ietf.org/rfc/rfc2696.txt .
If your target does not support paging and you find that agtldap does not return a complete list, increase the search size or "lookthrough" limit. Consult your LDAP administrator or documentation for more information.
LDAP referrals
Bravura Pass supports referrals to other LDAP Directory Service servers. This allows external programs, such as ldapacct, to access organizational units (OU) on multiple LDAP Directory Service servers from a single Bravura Pass target. For example, a referral can be set up on server ldap1 to an OU, myou, on server ldap2, so that Bravura Pass can access myou without access to other OUs on ldap2.
The directory structure for the DN on the server pointing to the LDAP referral must be the same as the referral DN. For example, if the address for the LDAP referral is:
ldap://ldap2.example.com:389/ou=myou,dc=example,dc=com
the server that is pointing to it must also end in dc=example,dc=com .
Troubleshooting
Errors
If you experience any errors, verify that:
You can log into the LDAP directory server from the Bravura Security Fabric server and from any LDAP client software using the administrator ID and password you created.
You can reset user passwords with any LDAP directory management software.
Some flavors of LDAP can have difficulty creating user IDs that include special characters.
If the LDAP password agent reports the error message:
Can’t connect to LDAP server the possible reasons for this error are:
Invalid server address: check the address you defined, using the rules set out above.
Invalid server port: check the address you defined, using the rules set out above.
The hostname of the LDAP server is not resolving on the Bravura Security Fabric server. This is likely a DNS problem, and you can bypass it by using an IP address for the LDAP server, rather than its name.
No such object this means that the administrator or user ID can not be found on the server. Make sure that administrator login ID is a fully-qualified LDAP name and the context in the server address is correct.
Invalid credentials the administrator’s (or user’s) password is wrong.
Listing accounts
The agtldap program, which runs during auto discovery to automatically discover LDAP accounts, may be limited by the LDAP server configuration.
If your target system does not support paging and you find that agtldap does not return a complete list, increase the search size or "lookthrough" limit. Consult your LDAP administrator or documentation for more information.
Most LDAP severs such as IBM Directory Server and OpenLDAP use paging; however, some servers such as Netscape and Sun One Directory server do not. To determine whether your LDAP server uses paging, check if 1.2.840.113556.1.4.319 is included as a supported control. For details, visit: http://www.ietf.org/rfc/rfc2696.txt .
Creating groups
Some LDAP schemas, such as OpenLDAP, require that a groupOfUniqueNames MUST have a uniqueMember (RFC2256). This means that it is mandatory for all groups to contain at least one member.
By default, when creating a group, Bravura Security Fabric does not enforce this rule. To enable group creation in LDAP schemas that require a uniqueMember, create the following registry entry:
Entry name ldapDefaultUniqueMember
Value name of unique member
Data type REG_SZ
in this key:
HKLM\SOFTWARE\Bravura Security\Bravura Security Fabric\<instance>\
If this entry is present, the uniqueMember attribute is replaced with the string value when a group is created in Bravura Identity . This value does not have to be a real user.
SSL certificates
When connecting or binding over SSL, the following error in the logs may indicate an SSL certificate issue:
Failed to bind to server [Server Down]
To identify the cause of this error:
Open the Windows event viewer and navigate to Windows Logs > System.
Confirm that SCHANNEL logging has been enabled. For more information, see Windows documentation on enabling and configuring SCHANNEL logging.
Look for recent Schannel errors. For example, a common error is:
The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.
This error indicates the certificate was not loaded as a trusted root certificate.
You can also try disabling certificate validation via the address option sslNoCertValidation. When this option is disabled and you are able to successfully bind, then the certificate is not trusted.
Note
Only use the sslNoCertValidation set to true for troubleshooting purposes as it does not provide strong security.