The following describes how to fetch the public keys of the users from an LDAP server and have One Identity Safeguard for Privileged Sessions (SPS) generate a keypair that is used in the server-side connection on-the-fly, and upload the public key of this pair to the LDAP database.
To configure public-key authentication using an LDAP server and generated keys
Navigate to SSH Control > Authentication Policies and create a new Authentication Policy.
Select Authenticate the client to SPS using > LDAP > Public key, deselect all other options.
Select Relayed authentication methods > Public key > Publish to LDAP, deselect all other options.
Click .
Navigate to Policies > LDAP Servers and click to create a new LDAP policy.
Enter the parameters of the LDAP server. For details, see Authenticating users to an LDAP server.
If different from sshPublicKey, enter the name of the LDAP attribute that stores the public keys of the users into the Publickey attribute name field.
|
Caution:
The public keys stored in the LDAP database must be in OpenSSH format. |
Enter the name of the LDAP attribute where SPS shall upload the generated keys into the Generated publickey attribute name field.
Click .
Navigate to SSH Control > Connections and create a new Connection.
Enter the IP addresses of the clients and the servers into the From and To fields.
Select the authentication policy created in Step 1 from the Authentication Policy field.
Select the LDAP policy created in Step 7 from the LDAP Server field.
If the server accepts a user only from a specific IP address, select the Use original IP address of the client radiobutton from the SNAT field.
Configure the other options of the connection as necessary.
Click .
To test the above settings, initiate a connection from the client machine to the server.
When using One Identity Safeguard for Privileged Sessions (SPS) in non-transparent mode, the administrators must address SPS to access the protected servers. If an administrator has access to more than one protected server, SPS must be able to determine which server the administrator wants to access. For each protected server, the administrators must address either different ports of the configured interface, or different alias IP addresses.
To allow the administrators to access protected servers by connecting to the IP address of One Identity Safeguard for Privileged Sessions (SPS), and use the port number to select which server they want to access. Organizing connections based on port numbers is advantageous if SPS has a public IP address and the protected servers must be administered from the Internet.
|
NOTE:
Do not use the listening addresses configured for web login. For more details, see Configuring user and administrator login addresses. |
For details on configuring alias IP addresses, see Managing logical interfaces.
To organize connections based on port numbers
Navigate to the Connections tab of the SSH Control menu.
Add a new connection. Enter the IP address of the administrators into the From fields, and the IP address and port number of the server into the Target field.
Enter the IP address of the logical interface of SPS into the To field, and enter a port number into the Port field.
Repeat Steps 2-3 for every protected server, but every time use a different port number in Step 3.
Click .
To allow the administrators to access protected servers by connecting to an alias IP address of One Identity Safeguard for Privileged Sessions (SPS). The alias IP address determines which server they will access. Organizing connections based on alias IP addresses is advantageous if SPS is connected to a private network and many private IP addresses are available.
|
NOTE:
Do not use the listening addresses configured for web login. For more details, see Configuring user and administrator login addresses. |
To organize connections based on alias IP addresses
Navigate to Basic Settings > Network.
Set up a logical interface: click and configure a new logical interface. Add alias IP addresses for every protected server. (Use a different IP address for each.)
For more information on configuring logical interfaces and alias IP addresses, see Managing logical interfaces.
Navigate to SSH Control > Connections.
Add a new connection. Enter the IP address of the administrators into the From fields, and the IP address and port number of the target server into the Target field.
Enter an alias IP address of the configured logical interface of SPS into the To field.
Repeat Steps 4-5 for every protected server, but every time use a different alias IP address in Step 5.
Click .
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center