Configuring LDAP Servers

The following procedure describes how to configure an LDAP authenticationClosed Identity verification, typically with passwords. Authentication precedes authorization. server for use with Fortify Software Security Center.

Important!  Before you configure the properties on the LDAP page, you must prepare for LDAP authentication as described in LDAP User Authentication. That section includes requirements and recommendations for configuring multiple LDAP servers.

Important! Fortify recommends that you maintain a couple of local administrator accounts in case you encounter problems with your LDAP server at some point.

To configure an LDAP server connection for Fortify Software Security Center:

  1. On the Fortify header, click ADMINISTRATION.

  2. In the navigation paneClosed When you conduct or view a scan, the navigation pane is on the left side of the Fortify WebInspect window. It includes the Site, Sequence, Search, and Step Mode buttons, which determine the contents (or "view”) presented in the navigation pane. on the left, select Configuration, and then select LDAP Servers.

  3. On the Integration with LDAP servers page, click NEW.

    The CREATE NEW LDAP CONFIGURATION dialog box opens.

  4. Configure the attributes described in the following table.

    Field

    Description

    BASIC SERVER PROPERTIES

    Enable this LDAP configuration

    Select this check box to make this LDAP server available for Fortify Software Security Center to use.

    Server name

    Important! If you configure multiple LDAP servers, make sure that you specify a unique server name for each.

    Type a unique name for this server.

     

    Server URL (ldap://<host>:<port>)

    Type the LDAP authentication server URL.

    If you use unsecured LDAP, enter the URL in the following format:

    ldap://<hostname>:<port>

    If you specify an ldap:// protocol, and either the SSL trust check or the Hostname validation check box is selected, StartTLS is used to connect to the LDAP server. Otherwise, an unencrypted connection is used.

    If you use secured LDAPS, enter the URL in the following format:

    ldaps://<hostname>:<port>

    LDAPS ensures that only encrypted user credentials are transmitted.

    Base DN

    Important! If you configure more than one LDAP server for Fortify Software Security Center, then you must set a unique Base DN for each of them.

    Type the Base Distinguished Name (DN) for LDAP directory structure searches.

    For example, the Base DN for companyName.com is dc=companyName,dc=com.

    All DN values are case-sensitive, must not contain extra spaces, and must exactly match LDAP server entries.

    If you specify no value, Fortify Software Security Center searches from the root of LDAP objects tree. With multiple LDAP servers, the Base DN must be unique for each. If the Base DN for one server is empty, it cannot be empty for another LDAP server.

    Bind user DN

    Type the full distinguished name (DN) of the account Fortify Software Security Center uses to connect to the authentication server.

    The general format for an account specifier is: cn=<accountName>, ou=users,dc=<domainName>,dc=com

    where <accountName> represents the minimum privilege, read-only authentication server account you created for exclusive use by Fortify Software Security Center.

    Caution! For security reasons, never use a real user account name in a production environment.

    If you use Active Directory, specify the domain name and username in the following format:

    <domain_name>\<username>

    Bind user password

    Type the password for the Bind User DN account.

    Show password Select this check box to show entered passwords.
    Relative search DNs (1 per line)

    (Optional) Type the Relative Distinguished Name (RDN). An RDN defines the starting point from the Base DN for LDAP directory searches. Fortify recommends that you search from the base DN. However, if your LDAP directory is so large that searching for Fortify Software Security Center users takes too long, use an RDN to limit the number of LDAP entries searched. You can also use an RDN to hide some part of the LDAP tree from Fortify Software Security Center for security reasons.

    For example: To search within the base DN companyName.com and all entries under that base DN, specify the following to recursively search all entries under that path:

    cn=users

    or

    cn=users,ou=divisionName

    Ignore partial result exception

    To avoid search failures when search results include more records than the LDAP server can return, leave this check box selected.

    You can also enable this flag to hide LDAP server misconfiguration. For example, if the LDAP server limits the number of query results to 500, but there are 600 actual results, with this flag enabled, Fortify Software Security Center silently returns only 500 records.
    LDAP server type From this list, select the type of LDAP server you are connecting with Fortify Software Security Center (either ACTIVE_DIRECTORY or OTHER).

     
    SECURITY
    SSL trust check If the domain controller is enabled for SSL, leave this check box selected to verify that the certificate presented by the LDAP server was issued by a trusted authority. If the domain controller is not configured for SSL, clear this check box.
    Hostname validation If the domain controller is enabled for SSL, leave this check box selected to ensure that the LDAP server hostname matches the hostname for which the certificate was issued. If the domain controller is not configured for SSL, clear this check box.
    Enable user status mapping (Microsoft Active Directory only) Select this check box to enable Fortify Software Security Center to retrieve status information for users on this LDAP server. The information is used for enhanced authentication checks during token-based and SSO-based authentication schemes.

    BASE SCHEMA

    Object class attribute

    Type the class of the object. For example, if this is set to objectClass, Fortify Software Security Center looks at the objectClass attribute to determine the entity type to search. The default value is objectClass.

    Organizational unit class

    Type the object class that defines an LDAP object as an organizational unit. The default value is container.

    User class

    Type the object class that identifies an LDAP object type as a user. The default value is organizationalPerson.

    Organizational unit name attribute

    Type the group attribute that specifies the organizational unit name. The default value is cn .

    Group class

    Type the object class that identifies an LDAP object type as a group. The default value is group.

    Distinguished name (DN) attribute

    Type the value that determines the attribute Fortify Software Security Center looks at to find the distinguished name of the entity. The default value is distinguishedName.

    USER LOOKUP SCHEMA

    User firstname attribute

    Type the user object attribute that specifies a user’s first name.

    The default value is givenName.

    User lastname attribute

    Type the user object attribute that specifies a user’s last name.

    The default value is sn.

    Group name attribute

    Type the group attribute that specifies the group name.

    The default value is cn.

    User username attribute

    Type the user object attribute that specifies a username. The default value is sAMAccountName.

    User password attribute

    Type the user object attribute that specifies a user’s password. The default value is userPassword.

    Group member attribute

    Type the group attribute that defines the members of the group. The default value is member.

    User email attribute

    Type the user object attribute that specifies a user’s email address. The default value is mail.

    User memberOf attribute

    		 Type the name of an LDAP attribute that includes the LDAP group names for LDAP users.

    USER PHOTO

    User photo enabled

    Select this check box to enable the retrieval of user photos from the LDAP server.

    User thumbnail photo attribute

    The thumbnailPhoto attribute for Active Directory

    User thumbnail MIME default attribute

    Thumbnail MIME default attribute

    ADVANCED INTEGRATION PROPERTIES

    Cache LDAP user data

    Note: Fortify recommends that you leave LDAP user caching enabled. Changes to user information made directly in the LDAP server may not be reflected in Fortify Software Security Center for up to an hour. However, a slow connection between Fortify Software Security Center and the LDAP server or a large LDAP directory with slow searches could degrade Fortify Software Security Center performance. User data are seldom changed directly in the LDAP server.

    Select this check box to enable LDAP user data caching in Fortify Software Security Center.

    You can refresh the LDAP cache manually from the ADMINISTRATION view in Fortify Software Security Center. For instructions, see Refreshing LDAP Entities Manually.

    Cache: Max threads per cache

    Type the maximum number of threads dedicated for each update process (user action). Each time a user clicks Update, a new update process starts.

    The default value is 4.
    Cache: Initial thread pool size

    Type the initial number of available cache update threads. This value is used to configure the thread pool for the task executor, which updates the LDAP cache in several threads simultaneously.

    The default value is 4.

    Cache: Max thread pool size

    Type the maximum number of threads that can be made available if the initial thread pool size is not adequate for the update process. The default value is 12.

    Enable paging in LDAP search queries

    Note: Not all LDAP servers support paging. Check to make sure that your LDAP server supports this feature.

    Select this check box to enable paging in LDAP search queries.

    Page size of LDAP search request results

    If your LDAP server limits the size of the search results by a certain number of objects and Enable paging in LDAP search queries is selected, type a value that is less than or equal to your LDAP server limit. The default value is 999.

    LDAP referrals processing strategy

    Note: If referrals are not used on your LDAP server, see About the LDAP Server Referrals Feature.

    If you have only one LDAP server, Fortify recommends that you select ignore so that LDAP works faster. If you have a multi-domain LDAP configuration and you use LDAP referrals, select follow. The default value is ignore.

    LDAP authenticator type

    From this list, select one of the following LDAP authentication types to use:

    • BIND_AUTHENTICATOR— Authentication directly to the LDAP server ("bind" authentication).
    • PASSWORD_COMPARISON_AUTHENTICATOR—The password the user supplies is compared to the one stored in the repository.

    For more information about LDAP authentication types, see http://docs.spring.io/spring-security/site/docs/3.1.x/reference/ldap.html.

    LDAP password encoder type

    Select a value from this list only if the LDAP authentication method is password comparison.

    You must select the encoder type that the LDAP server uses. Fortify Software Security Center compares encoded passwords. If, for example, the LDAP server uses LDAP_SHA_PASSWORD_ENCODER to encode passwords, but you select MD4_PASSWORD_ENCODER, password comparisons will fail.

    Enable nested LDAP groups

    Note: Use nested LDAP groups only if you absolutely must. Enabling nested LDAP groups forces Fortify Software Security Center to perform extra tree traversals during authentication. Fortify strongly recommends that you clear this check box if you do not plan to use nested groups.

    Select this check box to enable nested group support for LDAP in Fortify Software Security Center (wherein a given group member might itself be a group).

    Interval between LDAP server validation attempts (ms)

    Number of milliseconds the LDAP server waits after a validation attempt before next attempting a validation.

    The default value is 5000.

    Time to wait LDAP validation (ms)

    Type the length of time (in milliseconds) that Fortify Software Security Center is to wait for a response after sending a request to the LDAP server to update the cache. If a response is not received at the end of the designated time, the update is not performed. The request is sent again at the frequency determined by the value set for the Interval between LDAP server validation attempts field.

    The default value is 5000.

    Base SID of Active Directory objects

     

    (Microsoft Active Directory only) Specify the base security identifier (SID) of LDAP directory objects.

    Object SID (objectSid) attribute

    (Microsoft Active Directory only) Type the name of the attribute that contains the LDAP entity's objectSid (Object Security Identifier).

    This attribute is used to search for users based on their object security IDs. It is required if you use Active Directory and more than one LDAP server.

  5. To check the validity of the configuration, click VALIDATE CONNECTION.

  6. To check the validity of and save the configuration, click SAVE.

  7. To configure another LDAP server, repeat steps 3 through 6.

    Important! If you configure multiple LDAP servers, you must make sure that you specify a unique server name and a unique Base DN for each.

    Although Fortify supports the use of multiple LDAP servers, it does not support the use of multiple LDAP servers behind a load balancer, unless those servers are identical.

See Also

Importing an LDAP Server Configuration

Editing an LDAP Server Configuration

Registering LDAP Entities

LDAP User Authentication

Deleting an LDAP Server Configuration

About Managing LDAP User Roles