The syslog-ng Store Box (SSB) web interface can authenticate users to an external LDAP database to simplify the integration of SSB to your existing infrastructure. You can also specify multiple LDAP servers, if the first server is unavailable, SSB will try to connect to the second server.
As in the case of locally managed users, use groups to control access to the logfiles available via a shared folder. For details, see Accessing log files across the network.
The following describes how to enable LDAP authentication.
NOTE: The admin user is available by default and has all privileges. It is not possible to delete this user.
The admin user can login to SSB even if LDAP authentication is used.
Enabling LDAP authentication automatically disables the access of every local user except for admin.
SSB accepts both pre-win2000-style and Win2003-style account names (User Principal Names). User Principal Names (UPNs) consist of a username, the at (@) character, and a domain name, for example administrator@example.com.
The following characters cannot be used in usernames and group names: <>\/[]:;|=,+*)?@"
When using RADIUS authentication together with LDAP users, the users are authenticated to the RADIUS server, only their group memberships must be managed in LDAP. For details, see Authenticating users to a RADIUS server.
When using OpenID Connect authentication together with local users, the users are authenticated via OpenID Connect, only their group memberships must be managed locally on SSB. For details, see Authenticating users via OpenID Connect.
To enable LDAP authentication
-
Navigate to AAA > Settings > Authentication settings.
-
Select the LDAP option and enter the parameters of your LDAP server.
Figure 76: AAA > Settings > User database — Configure LDAP authentication
-
Click 
.
NOTE: You also have to configure the usergroups in SSB and possibly in your LDAP database. For details on using usergroups, see How to use usergroups.
-
Click Test to test the connection. Note that the testing of SSL-encrypted connections is currently not supported.
The syslog-ng Store Box (SSB) appliance can authenticate its users to an external RADIUS server. Group memberships of the user is based on the username, and it must be managed in the configured user database.
|
|
Caution:
The challenge/response authentication methods is currently not supported. Other authentication methods (for example, password, SecureID) should work. |
To authenticate SSB users to a RADIUS server
-
Navigate to AAA > Settings.
Figure 77: AAA > Settings — Configuring RADIUS authentication
-
Set the Authentication method field to RADIUS.
-
Enter the IP address or domain name of the RADIUS server into the Address field.
-
Enter the password that SSB can use to access the server into the Shared secret field.
NOTE: The syslog-ng Store Box (SSB) appliance accepts passwords that are not longer than 150 characters. The following special characters can be used:
! " # $ % & ' ( ) * + , - . / : ; < > = ? @ [ ] ^ - ` { | } |
-
To add more RADIUS servers, click 
and repeat Steps 2-4.
Repeat this step to add multiple servers. If a server is unreachable, SSB will try to connect to the next server in the list in failover fashion.
-
NOTE: The password-related settings under Password settings for root, admin and local users are effective for local non-admin users only if password authentication method and local user database is configured. These settings are always effective for the local administrator (default admin user) regardless of configuration. Local administrators always use local password authentication.
-
|
|
Caution: After clicking and changing to the new authentication method, the following will happen:
-
Users who are logged in at the time of the change will not have to reauthenticate themselves.
-
Users who log in after the change will have to authenticate against the new authentication method.
-
The default admin account of SSB can log in using the local password authentication method, even if the provider of the non-local authentication method is inaccessible. |
Click .
The syslog-ng Store Box (SSB) appliance can authenticate its users to an external OpenID Connect server. Group memberships of the user is based on the username, and it must be managed in the configured user database.
To authenticate SSB users to an OpenID Connect server
-
Navigate to AAA > Settings.
Figure 78: AAA > Settings — Configuring OpenID Connect authentication
-
Set the Authentication method field to OpenID Connection.
-
In the Provider URL field, enter the URL of the OpenID Connect server.
-
In the Client ID field, enter the client ID that identifies your SSB to the OpenID Connect server.
-
Select the client authentication mode from the Client authentication radio buttons.
-
In case of Basic client authentication mode, enter the client secret corresponding to the Client ID into the Client secret field.
NOTE: The syslog-ng Store Box (SSB) appliance accepts passwords that are not longer than 150 characters. The following special characters can be used:
! " # $ % & ' ( ) * + , - . / : ; < > = ? @ [ ] ^ - ` { | } |
-
Optional: Enable Use proxy and enter the proxy address you want to use into the Proxy address field.
NOTE: If you have to use a proxy, consider that only HTTP proxies are supported.
-
In the Redirect Login URL field, enter the URL for the OpenID Connect server to redirect to after login.
NOTE: The default value is https://<SSB IP address>/index.php?_backend=Auth?login=1. The suffix //index.php?_backend=Auth?login=1 is mandatory. Consider that invalid formatting of this field can make the login to the syslog-ng Store Box (SSB) appliance via OpenID Connect impossible.
-
In the Username claim field, enter the claim to obtain the user name from.
-
Optional: Enable Always prompt to always force a login to OpenID Connect.
-
Optional: Enable Logout globally to always force OpenID Connect to log out the user from their global OpenID session.
Optional: Enter the redirect URL what will be used after logout from OpenID Identity Provider into the Redirect Logout URL field. The default value is a URL based on the IP address of the syslog-ng Store Box. When left unconfigured, the Identity Provider's default sign-in page will be displayed after logging out from SSB.
-
NOTE: The password-related settings under Password settings for root, admin and local users are effective for local non-admin users only if password authentication method and local user database is configured. These settings are always effective for the local administrator (default admin user) regardless of configuration. Local administrators always use local password authentication.
-
|
|
Caution: After clicking and changing to the new authentication method, the following will happen:
-
Users who are logged in at the time of the change will not have to reauthenticate themselves.
-
Users who log in after the change will have to authenticate against the new authentication method.
-
The default admin account of SSB can log in using the local password authentication method, even if the provider of the non-local authentication method is inaccessible. |
Click .
In syslog-ng Store Box (SSB), user rights can be assigned to usergroups. SSB has numerous usergroups defined by default, but custom user groups can be defined as well. Every group has a set of privileges: which pages of the SSB web interface it can access, and whether it can only view (read) or also modify (read & write/perform) those pages or perform certain actions.
Figure 79: AAA > Access Control — Managing SSB users
NOTE: Every group has either read or read & write/perform privileges to a set of pages.
The admin user is available by default and has all privileges, except that it cannot remotely access the shared logspaces. It is not possible to delete this user.
