LDAP/AD and LDAPS Authentication

This topic applies to both Software Logger and the Logger Appliance.

This authentication method authenticates users against an LDAP server. Even when LDAP is enabled, each user account must exist locally on your system. Although the user name specified locally can be different from the one specified on the LDAP server, the Distinguished Name (DN) specified for each user account must match the one in the LDAP server.

Tip: For steps on how to create a user DN, see Creating and Activating Users, and the parameter Use Client DN.”

To set up LDAP authentication:

Click System Admin from the top-level menu bar.
Click Authentication in the Users/Groups section.
Choose the ExternalAuthentication tab.
From the menu, choose LDAP.
Allow Local Password Fallback provides two options:

Allow Local Password Fallback for Default Admin Only

Select this option to allow the default admin user to log in using only a username and password if the client certificate is not available or invalid. This privilege is restricted to the default admin user only—other users must have a valid client certificate to gain access to the system. This option is enabled by default.

Allow Local Password Fallback for All Users

Select this option to allow all users to log in using their local user name and password if LDAP authentication fails. For more information, see Local Password Fallback.

LDAP Server has the following parameters:

Parameter	Description
Server Hostname[:port] (optional)	(Optional) Enter the host name or IP address and port of the LDAP server in the following format: `ldap://<hostname or IP address>:<port>` `ldaps://<hostname or IP address>:<port>` Additional steps are required for the use of LDAPS. See To set up LDAP Over SSL authentication.
Backup Server Hostname[:Port] (optional)	(Optional) Enter the backup LDAP server to use if the primary server does not respond. If the server returns an authentication failure (bad password, unknown username, etc), then the backup server is not tried. The backup server is tried only when the primary server has a communication failure. Use the same format as the primary server to specify the host name and port.
Request Timeout	The length of time, in seconds, to wait for a response from the LDAP server. The default is 10.

Parameter

Description

Server Hostname[:port] (optional)

(Optional) Enter the host name or IP address and port of the LDAP server in the following format:

ldap://<hostname or IP address>:<port>

ldaps://<hostname or IP address>:<port>

Additional steps are required for the use of LDAPS. See To set up LDAP Over SSL authentication.

Backup Server Hostname[:Port] (optional)

(Optional) Enter the backup LDAP server to use if the primary server does not respond. If the server returns an authentication failure (bad password, unknown username, etc), then the backup server is not tried. The backup server is tried only when the primary server has a communication failure.

Use the same format as the primary server to specify the host name and port.

Request Timeout

The length of time, in seconds, to wait for a response from the LDAP server. The default is 10.

When finished, click Save.

To set up LDAP Over SSL authentication:

Verify that an SSL certificate for the LDAPS server has been uploaded into the trusted store. See Uploading Trusted Certificates.
Follow the steps for To set up LDAP authentication:.
Enter the URL for the LDAPS server(s), starting with ldaps://.
From the System Admin System menu, click Process Status.
From the Processes table, select aps.
Click Restart.

Caution: You must restart the aps process, or attempts to authenticate through LDAPS will fail.