Managing One Identity Safeguard for Privileged Sessions (SPS) users from an LDAP database
The One Identity Safeguard for Privileged Sessions (SPS) web interface can authenticate users to an external LDAP database to simplify the integration of SPS to your existing infrastructure. You can also specify multiple LDAP servers: if the first server is unavailable, SPS will try to connect to the second server.
NOTE: Consider the following:
-
The admin user is available by default and has all privileges. It is not possible to delete this user.
-
Enabling LDAP authentication automatically disables the access of every local user except for admin. The admin user can login to SPS even if LDAP authentication is used.
-
SPS accepts both pre-win2000-style and Win2003-style account names (User Principal Names). User Principal Names (UPNs) consist of a username, the at (@) character, and a domain name, for example administrator@example.com.
-
For the username of SSH users, only valid UTF-8 strings are allowed.
-
The following characters cannot be used in:
- usernames: /\[]:;|=+*?<>"
-
group names: /\[]:;|=+*?<>"@,
-
When using RADIUS authentication together with LDAP users, the users are authenticated to the RADIUS server, only their group memberships must be managed in LDAP. For details, see "Authenticating users to a RADIUS server" in the Administration Guide.
- SPS treats user and group names in a case insensitive manner if the matching rule for the attribute in question is case insensitive in the LDAP database.
Prerequisites
Make sure that the response timeout of the LDAP/Active Directory server is at least 120 seconds.
To enable LDAP authentication
-
Navigate to Users & Access Control > Settings > Authentication settings.
-
Select the LDAP option and enter the parameters of your LDAP server.
Figure 86: Users & Access Control > Settings > Authentication settings — Configuring LDAP authentication
-
Enter the IP address or hostname and port of the LDAP server into the Server Address field. If you want to encrypt the communication between SPS and the LDAP server, in case of TLS, enter 636 as the port number, or in case of STARTTLS, enter 389 as the port number.
Use an IPv4 address.
To add multiple servers, click
and enter the address of the next server. If a server is unreachable, SPS will try to connect to the next server in the list in failover fashion.
Caution: If you connect to the LDAP server over a TLS-encrypted connection with certificate verification, you must fill the Server Address field with a name or IP address, which must be present in the certificate.
When you configure the location of the LDAP server, that is, the IP address or hostname and the port number, you can use a Service record (SRV record), which is a type of information record in the DNS that maps the name of a service to the DNS name of the server. For example, enter _ldap._tcp.SITE_NAME._sites.dc._msdcs.DOMAIN.NAME in the Address field where you change the SITE_NAME and DOMAIN.NAME to your own site and domain name, then add the port number as required.
In SPS, the lookup of the SRV record happens at LDAP service startup, reload, or restart.
For more information on SRV records, see the relevant Microsoft documentation.
-
Select the type of your LDAP server in the Type field. Select:
-
Active Directory to connect to Microsoft Active Directory servers.
You can enable nested groups. Select Enable AD group membership check, then Enable nested groups.
Caution: Nested groups can slow down the query and cause the connection to timeout if the LDAP tree is very large. In this case, disable the Enable nested groups option.
To also check group membership based on group DNs in a user attribute, select Enable checking for group DNs in user objects and enter the name of the user attribute, for example, memberOf in the User attribute of group DNs field.
Caution: Using this option significantly slows down log on to the SPS web interface if you have too many groups.
Only use this option if you have an LDAP schema where the user groups can only be determined from a user attribute that contains the group DNs.
To check for group membership based on user DNs in group attributes, use the Check the user DN in these groups options.
For more information, see Active Directory LDAP backend.
-
POSIX to connect to servers that use the POSIX LDAP scheme.
If your LDAP server uses a custom POSIX LDAP scheme, you might need to set which LDAP attributes store the username, or the attributes that set group memberships. For example, if your LDAP scheme does not use the uid attribute to store the usernames, set the Username (user ID) attribute name option.
In addition to the primary group membership checking, you can allow checking for supplementary group memberships by selecting the Enable POSIX group membership check and specifying the POSIX group membership attribute name field.
To also check group membership based on group DNs in a user attribute, select Enable checking for group DNs in user objects and enter the name of the user attribute, for example, memberOf in the User attribute of group DNs field and objectClass, for example, groupOfNames in the Group objectClass field.
Caution: Using this option significantly slows down log on to the SPS web interface if you have too many groups.
Only use this option if you have an LDAP schema where the user groups can only be determined from a user attribute that contains the group DNs.
To check for group membership based on user DNs in group attributes, use the Check the user DN in these groups options.
For more information, see POSIX LDAP backend.
For an overview about LDAP user and group resolution in SPS, see Overview.
-
-
In the User Base DN field, enter the name of the DN to be used as the base of queries regarding users (for example: OU=People,DC=demodomain,DC=exampleinc).
NOTE: You must fill in this field. It is OK to use the same value for User Base DN and Group Base DN.
However, note that specifying a sufficiently narrow base for the LDAP subtrees where users and groups are stored can speed up LDAP operations.
-
In the Group Base DN field, enter the name of the DN to be used as the base of queries regarding groups (for example: OU=Groups,DC=demodomain,DC=exampleinc).
NOTE: You must fill in this field. It is OK to use the same value for User Base DN and Group Base DN.
However, note that specifying a sufficiently narrow base for the LDAP subtrees where users and groups are stored can speed up LDAP operations.
-
In the Bind DN field, enter the Distinguished Name that SPS should use to bind to the LDAP directory (for example: CN=Administrator,DC=demodomain,DC=exampleinc).
NOTE: SPS accepts both pre-win2000-style and Win2003-style account names (User Principal Names), for example administrator@example.com is also accepted.
-
To configure or change the password to use when binding to the LDAP server, click Change and enter the password. Click Update. Click
.
NOTE: One Identity Safeguard for Privileged Sessions (SPS) accepts passwords that are not longer than 150 characters. Letters A-Z, a-z, numbers 0-9, the space character, as well as the following special characters can be used: !"#$%&'()*+,-./:;<>=?@[]\^-`{}_|
-
If you want to encrypt the communication between SPS and the LDAP server, in Encryption, select the TLS or the STARTTLS option and complete the following steps:
Figure 87: Policies > LDAP Servers — Configuring encryption
NOTE:TLS-encrypted connection to Microsoft Active Directory is supported only on Windows 2003 Server and newer platforms. Windows 2000 Server is not supported.
-
If you want SPS to verify the certificate of the server, select Only accept certificates authenticated by the Trust Store and select a trust store in the Trust Store field.
SPS will use the selected trust store to verify the certificate of the server, and reject the connections if the verification fails.
Caution: SPS checks if the certificate revocation list (CRL) has expired and that the CRL has been signed by the same certificate authority (CA).
Caution: If you connect to the LDAP server over a TLS-encrypted connection with certificate verification, you must fill the Server Address field with a name or IP address, which must be present in the certificate.
Authenticate as client
-
If the LDAP server requires mutual authentication, that is, it expects a certificate from SPS, enable Authenticate as client. Generate and sign a certificate for SPS, then click
in the Client X.509 certificate field to upload the certificate. After that, click
Verify the certificate of the server
One Identity recommends using 2048-bit RSA keys (or stronger).
-
-
Click
NOTE: You also have to configure the usergroups in SPS and possibly in your LDAP database. For details on using usergroups, see Using usergroups.
-
Click Test to test the connection.
Overview
Access control in SPS is based on groups. Whenever a user needs to access a protected resource, like navigating to a configuration page on the SPS web interface, or opening a channel in a connection, SPS checks the access control list associated with the resource in question.
The access control lists grant access to groups. Therefore, SPS needs to determine which groups the user is a member of to evaluate the access rules.
When you configure SPS to use an LDAP backend, SPS will:
-
Identify the user. For more information, see User identification below.
-
Determine the relevant groups the user is a member of. For more information, see Group membership resolution below.
User identification
SPS works with plain usernames, for example, administrator. This must be unambiguously resolved to an LDAP user object in order to determine the user’s groups. If a user identification returns multiple results, SPS treats this as an error, and access to the user in question is denied.
Only the user object returned in this phase is used for group membership checks, and not the original plain username.
User resolution depends on the type of the backend (POSIX or Active Directory).
For more information, see the backend-specific sections below.
Group membership resolution
SPS works with plain group names, for example, superusers. For group membership checks, SPS looks up a relevant group object in LDAP and checks if the user object returned during user identification is a member of that group. Since some of the group object’s attributes are always used for group membership checks, the group object must also exist in LDAP.
Group membership resolution depends on the LDAP backend type.
For more information, see the backend-specific sections below.
Common to all backends
All backends have configurable parameters relevant for user identification and group membership:
-
bind_dnandbind_password: Bind DN and Bind password are used for user identification and group membership check during authentication to the LDAP database. If you leave it empty, SPS will try to bind anonymously. -
user_base_dn: User Base DN is where SPS searches for users. -
group_base_dn: Group Base DN is where SPS searches for groups. Only groups under this base are considered for membership. -
memberof_check: the Enable checking for group DNs in user objects setting allows checking a configurable attribute in the user object. This attribute contains a list of group DNs the user is additionally a member of. This user attribute is usually memberOf. For more information, see the backend-specific sections below. -
user_dn_in_groups: Check the user DN in these groups is a list of additional group object classes and their respective attributes where SPS will look for member user DNs. For more information, see the backend-specific sections below.
All comparisons and searches are done by SPS in a way that plain user and group names are matched with attribute values by the LDAP server. As a result, user and group names are case insensitive if and only if the matching rule for the attribute in question is case insensitive in the LDAP database.
Active Directory LDAP backend
In addition to the common parameters, the Active Directory (AD) backend has the following additional configurable parameters:
-
membership_check: Enable AD group membership check enables AD specific non-primary group membership checking.NOTE: The AD user’s primary group is always checked regardless of this setting.
-
nested_groups: Enable nested groups allows AD nested group support. See below for details.
-
Additionally, AD supports case and accent insensitive matching in many of the user and group name attributes. Since SPS relies on the server to perform comparisons, case and accent insensitive user and group name support depends solely on the server configuration.
User identification in AD
To determine the user entry for a given plain username, SPS performs a search under user_base_dn for objects having either the sAMAccountName or the userPrincipalName equal to the plain username of the user. The objectClass of the user object is not restricted.
NOTE: Although userPrincipalName in AD is a Internet-style name like user@example.com, it matches simple names like user.
Only the user object returned here is used for group membership checks.
Group membership resolution in AD
For all group membership checks, only the LDAP user object returned during user identification phase is used.
The plain group name is always compared to the cn attribute of the group object.
A user is treated as a member of a group if both the group object’s objectClass and objectCategory is group, and any of the following is true:
-
The group is the user’s primary group. That is, the objectSID attribute of the group matches the Security Identifier calculated from the user object’s objectSID and primaryGroupID attributes, as described in the Microsoft Support article How to use the PrimaryGroupID attribute to find the primary group for a user.
NOTE: When using the AD backend, this check is always performed, even if the
membership_checkoption is disabled. However, it is OK for the user to have no primary group. -
The group lists the user’s short username. That is, the group’s memberUid attribute contains the short username from the user object.
This check is performed only when the
membership_checkoption is enabled for AD.NOTE: For the purpose of this check, the user’s short username is retrieved from the user object’s sAMAccountName attribute only, which is a single-valued attribute in AD. This is a known limitation.
It is OK for the sAMAccountName attribute to be missing, in which case this check will be skipped.
-
The group lists the user’s dn. That is, the group object’s member attribute contains the user’s dn.
This check is performed only when the
membership_checkoption is enabled for AD.This is the only place where nested groups are supported. When the
nested_groupssetting is enabled in the configuration, SPS will also find groups which do not directly contain the user’s dn in their member attribute, but do contain an intermediate group’s dn, which in turn contains the user dn in its member attribute. This nesting can be arbitrarily deep, limited only by AD.NOTE: Due to the nature of the way AD resolves the nested group chain, intermediate groups might be outside the configured
group_base_dn.
NOTE: Although an objectCategory in AD is a DN-valued attribute, it does match simple names like group.
Additionally, a user is treated as a member of a group if:
-
The group lists the user’s dn in any of the additional group objects configured in
user_dn_in_groups.For example, if a row is added with
objectClassset to groupOfNames andattributeset to member, SPS will treat the user as a member of all groups where the group is a groupOfNames, and the group’s member attribute contains the user’s dn.NOTE: There is no additional restriction on the group’s objectClass in this case.
-
The user lists the group’s dn. That is, the user’s
memberof_user_attributecontains the dn of the group, and the objectClass of the referred group is group.This check is performed only when the
memberof_checkoption is enabled for AD.NOTE: SPS compares the dn stored in the
memberof_user_attributeto the dn of the group object itself in a strict stringwise manner. Therefore, this user attribute must contain the group DN exactly as it would be returned by the LDAP server. No case or accent differences are allowed.