IMC operators can be authenticated by an external authentication server (RADIUS or LDAP).
In combination with an Active Directory, the LDAP method is easy, since it does not require a RADIUS server or any RADIUS server configuration.
While LDAP is easy, the basic authentication is using a simple LDAP bind, which is using clear text password authentication. Therefor it is recommended to enable LDAP over SSL for the operator authentication.
In this post I will show the steps to configure IMC Operator authentication using LDAP over SSL.
The configuration is split in 2 sections:
- Configure and verify IMC operator authentication with basic LDAP
- Enable LDAP over SSL
Part 1: IMC operator authentication with basic LDAP
This section will cover the following steps:
- AD: define an IMC account
- IMC: configure the authentication server
- AD: define a test operator
- IMC: define a test operator
- IMC: verify the test operator
- Network trace: verify the basic LDAP authentication
AD: define an IMC account
When IMC needs to authenticate an operator using LDAP, it will perform an LDAP bind on the LDAP server using the provided username and password. If the bind is successful, it means the password was correct.
In order to perform an LDAP bind, the provided username must be the operator full DN (like cn=imcadmin,ou=sysadmins,ou=corporate,dc=hpnet,dc=local).
Inside IMC however, the operator is simply defined with a username (e.g. imcadmin), so IMC still needs to figure out the full DN of the operator before it can perform the simple LDAP bind to check the password.
To find the full DN of the user, IMC will need an account on the AD, so it can actually query the AD for a user matching the operator name (e.g. imcadmin). In the LDAP query response, the AD will include the user full DN.
At this point IMC server will be able to perform the simple LDAP bind on behalf of the operator (using the found full DN) to verify the password.
In the AD, define this account to lookup the operator users.
Sample user in the lab:
- Username: imc-operator-ldap
- Remember to set the password never expires option.
- There is no need for the user to be administrator (sample user is just a normal user, member of domain users only)
- Take note of the full DN of this user:
The end-object is identified with “CN”, the Organizational units with “OU”, the AD domain name is split with “DC”
IMC: configure the authentication server
On the IMC server, navigate to System > Operator Management > Authentication Server
Configure the LDAP Server using these settings:
- Server type: Active Directory
- Server Address: IP of the DC
- Server Port: 389 (basic LDAP, SLDAP will be done in part2)
- Base DN: this is the base search level to query the AD for operators
Based on your domain OU setup, this could be only the OU with the IMC operators. In case the IMC operators are in different OUs, spread all over the domain, you may need to set it to the domain scope (like this example)
- Admin DN: This is the account IMC is using to query the AD for the actual operator full DN. It is the user which was defined in the previous step. This does not need to be an AD administrator.
- Admin Password: password of this user
AD: define a test operator
Once the LDAP server has been configured on the IMC, you can define a test operator on the AD.
Sample operator in the lab:
- username: imcadmin
No other settings were set, so this is a normal AD user.
IMC: define a test operator
IMC cannot authenticate operators based on an AD group membership, so you will need to define the operator object in IMC first, and then specify that it should be authenticated using the LDAP server.
In IMC, navigate to System > Operator Management > Operators
Define a new operator, make sure the operator name is the same as the SAMAccountName of the user defined on the AD. Configure LDAP as the authentication type.
IMC: verify the test operator
Now you can verify the login with the new operator:
Once logged in, the username will be shown in the right-top corner and it will be listed as online operator.
Network trace: verify the basic LDAP authentication
In the network trace, you can see the login of the IMC admin account, in order to query the actual operator login:
Next the actual operator login verification (using a simple LDAP bind), which shows the cleartext password passing:
This can be solved by configuring LDAP over SSL.
Part 2: LDAP over SSL configuration
This section will cover the following steps:
- AD: Verify a server cert on DC
- AD: Export the root CA as Base64 file
- IMC: Configure the LDAP server to use SSL
- IMC: verify the test operator with LDAP SSL
- Network trace: verify the SSL LDAP authentication
it doesn’t help, please documentate more details on part 2
Yes, it seems part 2 got lost somehow, thanks for the notice.
I am a bit busy right now, so this will take a few weeks before I can update…