NetMRI uses internal and external authentication systems to control user authentication for performing all administrative tasks. For a simple rollout, you can use the NetMRI local authentication database, which is called the local authentication service, where all user accounts and login information are contained within the appliance. You can also link NetMRI to an external Active Directory, RADIUS, TACACS+, LDAP, SAML, or OCSP authentication server or server group in the enterprise network to perform user authentication and authorization for NetMRI tasks, using the same user roles and privileges defined on the local NetMRI system. Doing so requires creating new authentication services in NetMRI.
| Anchor | ||||
|---|---|---|---|---|
|
...
- Go to the Settings icon > General Settings section > Authentication Services page.
- Enter the Name and Description.
- Set the Priority and Timeout of the LDAP service.
- Choose LDAP as the Service Type. The Service Specific Information pane updates to show the required LDAP settings.
- Enter the Base DN value for the new LDAP service (example: ou=management, dc=corp100, dc=com). Users' definitions may be split between two or more Base DNs, so be aware of how the directory service is structured.
- Enter the User Attribute. This will typically be cn for 'common name,' which is one of the components of the LDAP Distinguished Name attribute.
- Enter the Group Attribute, which will typically be specified as memberOf for NetMRI. This defines the group membership in the LDAP tree for individual user accounts in LDAP. NetMRI uses this attribute to retrieve the LDAP group name to which the users belong. The LDAP group will be mapped to NetMRI users group (see the Remote Groups tab).
Example:ldapsearch -x -LLL -H ldap:/// -b uid=myuser,ou=people,dc=qanet,dc=local dn memberofdn: uid=myuser,ou=people,dc=qanet,dc=localmemberof: cn=mygroup,ou=groups,dc=qanet,dc=local
You must use the memberOf overlay or a similarly behaving overlay to define the membership. - Choose the Search Level, which determines how far the LDAP service searches in the directory tree. The Subtree value is the default and can be retained for most applications. Other options are as follows:
- One Level: Searches the directory entries immediately below the base object.
- Base: Searches only the base object.
- Subtree: Search the whole directory tree below and including the base object. This is the default.
- Choose the Authentication, which can either be Anonymous or Authenticated. For more information, see Anonymous vs. Authenticated Server Authentication topic on this page.
- If the setting is Authenticated, enter the Bind User DN (this is a core value defined on the LDAP server).
- Enter the Bind Password, which is associated with the Bind user for the server.
Many LDAP services may not allow the use of the Bind User DN and Bind Password values, requiring the use of anonymous authentication for LDAP queries.
- Click Save.
- If desired, click Disable service (this completely disables the service but does not change or delete any settings) or Disable authorization (this disables the new service from performing any group searches but allows basic authentication of user accounts from the LDAP server).
...
| NetMRI SAML Attribute Key | SAML Attribute Value | Description | Example |
|---|---|---|---|
uid | username | User name as specified in the IDP user record. | jdoe |
urn:oid:1.2.840.113549.1.9.1 or mail | This is the person’s Email ID in the IDP user record. | jdoe@example.com | |
urn:oid:2.5.4.42 or givenName | givenName | Given name (first name) as specified in the IDP user record. | john |
urn:oid:2.5.4.4 or surname | surname | Surname (last name) as specified in the IDP user record. | doe |
| Group Attribute | Custom group attribute | User's relation to the organization or group. | memberOf eduPersonAffiliation |
To configure a NetMRI SAML authentication service, complete the following:
...