...
Active Directory™ (AD)
is a Microsoft-proprietary distributed directory service based upon LDAP, that is a repository for user information. The NetMRI appliance can authenticate user accounts by verifying user names and passwords against an Active Directory server. NetMRI can use the AD authentication service to query the AD domain controller for the user's group membership information. NetMRI then matches the group names from the domain controller with the group names in its authentication service properties. It authorizes services and grants the administrative roles and privileges, for the remote user groups assigned to its local roles and the specified device groups.
The Active Directory schema is predefined for User and Group entries, which means that in NetMRI, you only need to specify the Domain of the AD server, along with its IP address.
| Anchor |
|---|
| Active Directory Service Configuration |
|---|
| Active Directory Service Configuration |
|---|
|
Active Directory Service Configuration
...
- Click the Servers tab.
- Click Add to add Active Directory servers to the service. The Add Authentication Server dialog opens.
- Enter the Host/IP Address.
- Choose the Encryption Type: None or SSL. (For information, see Using a Certificate File for an LDAP or AD Service.) In the Encryption field, if you select SSL, the Authentication Port field changes its value to match the SSL protocol.
- If using SSL, choose the certificate from the Certificate drop-down list. (The certificate can be loaded into NetMRI from the server that issued it.)
Note: When configuring authentication using Active Directory with SSL encryption, a fully qualified domain name (FQDN) is required for the Server Name or IP address field in the Add Active Directory Server dialog. - Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order of which servers in the services are queried by NetMRI.
- If necessary, enter the Port value. AD's default TCP application with SSL encryption port is 636, and 389 for non-encrypted communication.
- Click Save to save your configuration.
- Click Cancel to close the dialog.
...
Note: Many LDAP services may not allow use of the Bind User DN and Bind Password values, requiring use of anonymous authentication for LDAP queries.
- Click Save.
- If desired, click Disable service (this completely disables the service but does not change or delete any settings) or Disable authorization (this disables the new service from performing any group searches but allows basic authentication of user accounts from the LDAP server).
...
Using a Certificate File for an LDAP or AD Service
| Wiki Markup |
|---|
When you test the connection to the server, your NetMRI-to-LDAP server connections (or for Active Directory connections) allow for loading a current SSL certificate from a .PEM file. (See the section [<span style="color: #0000ff"><em>NetMRI</em></span> <span style="color: #0000ff"><em>Security</em></span> <span style="color: #0000ff"><em>Settings</em></span>|Introduction#bookmark51] for the process of adding SSL certificates to NetMRI.) This certificate automatically appears in the authentication server's *Certificate* drop-down menu after being loaded into NetMRI:
An LDAP connection test shows the following: Username: ****** Password:******
Process Started
2015-05-01 17:41:59 ------------------------------------------------------
2015-05-01 17:41:59 +++ BEGIN testing access to authentication servers +++
2015-05-01 17:41:59 +++ LDAP connection: username='jsmith', address='ldaps://172.16.23.2', port='636', *certPath='/var/local/netmri/certs/ca_repo/1430516467.501615.pem'{*}, version ='', timeout='5' +++
2015-05-01 17:41:59 Anonymous bind
2015-05-01 17:41:59 Authentication successful.
2015-05-01 17:41:59 Authenticate user 'cn=jsmith,ou=People,dc=corp100,dc=com' with 'inet6 => Y'...
2015-05-01 17:41:59 Authentication successful.
2015-05-01 17:41:59 Groups: \['administrators', 'dev'\]
2015-05-01 17:41:59 +++END testing access to authentication servers+++ 2015-05-01 17:41:59 ------------------------------------------------------
Authentication Test Completed
\\
If you set the *Encryption* menu to *None{*}, this option remains unavailable, and authentication tests will show a blank
certPath value in the test output.
\\ |
Server Authentication: Anonymous vs. Authenticated
Should you have a provisioned Bind User DN (Distinguished Name) and Bind Password needed for the LDAP service, perhaps for a power user, or in cases where anonymous access is not granted by policy, you can use those values to provide another level of security between NetMRI and the servers comprising the LDAP service.
An anonymous bind takes place as follows:
2015-05-01 17:41:59 Anonymous bind
2015-05-01 17:41:59 Authentication successful.
An authenticated bind, using the correct Bind User DN and Bind Password appears as follows:
2015-05-01 18:23:06 Authenticate 'cn=root,dc=infoblox,dc=com'
2015-05-01 18:23:06 Authentication successful.
| Anchor |
|---|
| Authenticating Users using RADIUS |
|---|
| Authenticating Users using RADIUS |
|---|
|
Authenticating Users using RADIUS
RADIUS (Remote Authentication Dial-In User Service) provides authentication, accounting, and authorization functions, through a communications stream between clients and a dedicated server. NetMRI directly supports authentication and authorization using FreeRADIUS; other widely used RADIUS implementations include GNU RADIUS and Microsoft IAS. RADIUS provides all user authentication in a single centralized database. After users are verified, they have access to any NetMRI administrative function permitted for their account.
| Anchor |
|---|
| RADIUS Service Configuration |
|---|
| RADIUS Service Configuration |
|---|
|
RADIUS Service Configuration
...
Subsequent login attempts are authenticated using the defined authentication servers (except for the admin user account).
