IMC Operator authentication with LDAP over SSL

Posted on April 17, 2014 by Peter Debruyne

IMC operators can be authenticated by an external authentication server (RADIUS or LDAP).

In combination with an Active Directory, the LDAP method is easy, since it does not require a RADIUS server or any RADIUS server configuration.

While LDAP is easy, the basic authentication is using a simple LDAP bind, which is using clear text password authentication. Therefor it is recommended to enable LDAP over SSL for the operator authentication.

In this post I will show the steps to configure IMC Operator authentication using LDAP over SSL.

The configuration is split in 2 sections:

  1. Configure and verify IMC operator authentication with basic LDAP
  2. Enable LDAP over SSL

Part 1: IMC operator authentication with basic LDAP

This section will cover the following steps:

  • AD: define an IMC account
  • IMC: configure the authentication server
  • AD: define a test operator
  • IMC: define a test operator
  • IMC: verify the test operator
  • Network trace: verify the basic LDAP authentication

AD: define an IMC account

When IMC needs to authenticate an operator using LDAP, it will perform an LDAP bind on the LDAP server using the provided username and password. If the bind is successful, it means the password was correct.

In order to perform an LDAP bind, the provided username must be the operator full DN (like cn=imcadmin,ou=sysadmins,ou=corporate,dc=hpnet,dc=local).

Inside IMC however, the operator is simply defined with a username (e.g. imcadmin), so IMC still needs to figure out the full DN of the operator before it can perform the simple LDAP bind to check the password.

To find the full DN of the user, IMC will need an account on the AD, so it can actually query the AD for a user matching the operator name (e.g. imcadmin). In the LDAP query response, the AD will include the user full DN.

At this point IMC server will be able to perform the simple LDAP bind on behalf of the operator (using the found full DN) to verify the password.

In the AD, define this account to lookup the operator users.

Sample user in the lab:

  • Username: imc-operator-ldap
  • Remember to set the password never expires option.
  • There is no need for the user to be administrator (sample user is just a normal user, member of domain users only)
  • Take note of the full DN of this user:
    cn=imc-operator-ldap,ou=system,ou=corporate,dc=hpnet,dc=local

The end-object is identified with “CN”, the Organizational units with “OU”, the AD domain name is split with “DC”

20140417_155035_imc-operator-auth-ldap-000015

 

IMC: configure the authentication server

On the IMC server, navigate to System > Operator Management > Authentication Server

Configure the LDAP Server usin20140417_160144_imc-operator-auth-ldap-000016g these settings:

  • Server type: Active Directory
  • Server Address: IP of the DC
  • Server Port: 389 (basic LDAP, SLDAP will be done in part2)
  • Base DN: this is the base search level to query the AD for operators
    Based on your domain OU setup, this could be only the OU with the IMC operators. In case the IMC operators are in different OUs, spread all over the domain, you may need to set it to the domain scope (like this example)
    Sample: dc=hpnet,dc=local
  • Admin DN: This is the account IMC is using to query the AD for the actual operator full DN. It is the user which was defined in the previous step. This does not need to be an AD administrator.
  • Admin Password: password of this user

20140417_160144_imc-operator-auth-ldap-000016

AD: define a test operator

Once the LDAP server has been configured on the IMC, you can define a test operator on the AD.

Sample operator in the lab:

  • username: imcadmin

No other settings were set, so this is a normal AD user.

20140417_160543_imc-operator-auth-ldap-000018

IMC: define a test operator

IMC cannot authenticate operators based on an AD group membership, so you will need to define the operator object in IMC first, and then specify that it should be authenticated using the LDAP server.

In IMC, navigate to System > Operator Management > Operators

Define a new operator, make sure the operator name is the same as the SAMAccountName of the user defined on the AD. Configure LDAP as the authentication type.

20140417_161006_imc-operator-auth-ldap-000019

IMC: verify the test operator

Now you can verify the login with the new operator:

20140417_161903_imc-operator-auth-ldap-000020

Once logged in, the username will be shown in the right-top corner and it will be listed as online operator.

20140417_161915_imc-operator-auth-ldap-000021

 

 

 

20140417_161945_imc-operator-auth-ldap-000022

Network trace: verify the basic LDAP authentication

In the network trace, you can see the login of the IMC admin account, in order to query the actual operator login:

20140417_210909_imc-operator-auth-ldap-000023

Next the actual operator login verification (using a simple LDAP bind), which shows the cleartext password passing:

20140417_211221_imc-operator-auth-ldap-000024

 

This can be solved by configuring LDAP over SSL.

Part 2: LDAP over SSL configuration

This section will cover the following steps:

  • AD: Verify a server cert on DC
  • AD: Export the root CA as Base64 file
  • IMC: Configure the LDAP server to use SSL
  • IMC: verify the test operator with LDAP SSL
  • Network trace: verify the SSL LDAP authentication

 

This entry was posted in IMC Platform and tagged . Bookmark the permalink.

3 Responses to IMC Operator authentication with LDAP over SSL

  1. user says:
    August 8, 2014 at 09:45

    it doesn’t help, please documentate more details on part 2

    Reply
  2. zoup says:
    May 18, 2015 at 10:45

    up ?

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s