LdapEsm

Configuring LdapEsm

The LdapEsm ESM Module uses an LDAP server as its External Security Manager. The LDAP server is primarily used as a repository of security configuration information, including user accounts, user groups, and resource access control rules. It can also be used to validate user credentials; see the discussion of "bind mode" below.

The LdapEsm ESM Module has more configuration options than most, since it must interact with an LDAP server, deal with an arbitrary LDAP directory structure, and support a number of processing options. In general, the LdapEsm tries to use the same options as the native ES MLDAP ESM Module, for features it supports. See the documentation for the MLDAP ESM Module for more information:

Security configuration: Use all groups

LdapEsm is affected by the Use all groups option of the Security Configuration for the region which is using it. In Use-all-groups mode, when a user signs on, the module will search the LDAP directory for group objects that list the user, and add them to the supplemental group list in the ACEE (Access Control Environment Entry). When a resource access request is made, the module will search all of the groups in the ACEE when matching against Access Control List entries.

Security manager connection options

LdapEsm uses the connection options in the security manager configuration, if specified, to connect to the LDAP server:

  • Connection path

    Tells LdapEsm where to find the LDAP server. This can be:

    • Empty, in which case the module uses "127.0.0.1:389".
    • A hostname or IP address (uses the standard LDAP port, 389).
    • A URL of the form "ldap://host:port" or "ldaps://host:port". The "ldaps" scheme specifies LDAP-over-TLS (secure connection). The ":port" is optional and defaults to 389 for plain LDAP and 636 for secure LDAP.
  • Authorized ID and Password

    Optional username and password to connect to the LDAP server.

    If not specified, the module uses the same default username and password as the native MLDAP ESM Module.

    • The username may be a plain username, a Distinguished Name, or some other format supported by the LDAP server.

Processing options for LdapEsm are set in various sections of the configuration text area.

Configuration text

Processing options for LdapEsm are set in various sections of the configuration text area.

[LDAP]
Base=dn
User container=dn
Group container=dn
Resource container=dn
User class=class-name
Group class=class-name
Resource class=class-name
User ID attribute=attribute-name
Search scope=scope
Referrals=referrals

The [LDAP] section specifies aspects of the LDAP repository and how the module should instruct the server to act. Many of these settings can be omitted and the defaults used.

The Base and container settings tell the module where in the LDAP hierarchy to find user and resource-rule objects. The values are LDAP distinguished names. If Base is not empty, it is appended to the three container settings. The default base is " CN=Micro Focus, CN=Program Data, DC=local ". The default containers for users, groups, and resources are " CN=Enterprise Server Users ", " CN=Enterprise Server User Groups ", and " CN=Enterprise Server Resources ". These correspond to the sample LDAP configuration supplied with the product.

The three class properties and the User ID attribute can be used to configure the module for LDAP schemas other than the one used in the default configuration. See the product documentation for more information.

The scope value determines whether just the immediate container or all containers within it are searched. The default is "one-level" (search only the immediate container); setting it to "subtree" searches all levels within the container recursively. There is a performance cost for subtree searches.

The referrals setting determines whether the LDAP server is allowed to pass requests it cannot answer on to other servers. By default this is disabled; setting this value to "yes" allows referrals.

[Verify]
mode=mf-hash | bind

The mode setting in the [Verify] section determines how user credentials are validated. In the mf-hash mode, which is also the default, LdapEsm searches for a user object in the user container with the userid as its common name (the first CN part of the object's distinguished name). If it finds one, it retrieves the value of the microfocus-MFDS-User-Pwd attribute, which is (normally) a salted cryptographic hash of the user's password. It hashes the supplied password with the same salt value and compares the hashes to determine if the password is correct.

In the bind mode, the module tests the supplied credentials by using them to bind to the LDAP server. The user is verified if the bind succeeds. The server determines how credentials are evaluated. Active Directory, for example, performs the equivalent of a Windows domain logon with them. Refer to the documentation for your server for more information.

[Trace]
Trace=setting
If setting is "y" or "yes" (case-insensitive), write various messages to the console log about security decisions. Currently LdapEsm just writes a message about each Auth request. (More extensive tracing will be provided in future releases.)