Enabling LDAP server authentication

LDAP is a standards-based, cross-platform, extensible protocol that runs directly on top of TCP/IP. It is used to access specialized databases called directories.

To avoid maintaining multiple user credentials, you can use the company LDAP server to authenticate user IDs and passwords.

As a prerequisite, the LDAP server must contain user groups that correspond to the required user roles. For more information, see Understanding user roles.

Click the settings icon on the upper-right corner of the page.

Click LDAP, and then select Enable LDAP for authentication.

From the Authentication Information section, configure the settings.

LDAP server hostname—The IP address or the host name of the LDAP server where the authentication occurs. If you want to use encrypted communication between the MVE server and the LDAP server, then use the fully qualified domain name (FQDN).
Server port—The port number that the local computer uses to communicate with the LDAP community server. MVE uses the port number to determine what type of encryption to use. The default port number is 389. If the default port number is used, then MVE begins its connection unencrypted. Otherwise, MVE begins its connection using SSL encryption.
Root distinguished name—The base distinguished name (DN) of the root node. In the LDAP community server hierarchy, this node must be the ancestor of the user node and group node. For example, dc=mvptest,dc=com.
Note: When specifying the root DN, make sure that only dc and o are part of the root DN. If ou or cn is the ancestor of the user and group nodes, then use ou or cn in the user and group search bases.
User search base—The node in the LDAP community server where the user object exists. This node is under the root DN where all the user nodes are listed. For example, ou=people.

User search filter—The parameter for locating a user object in the LDAP community server. For example, (uid={0}).

Examples of allowed multiple conditions and complex expressions
Log in using	In the “User search filter” field, type
Common name	(CN={0})
Login name	(sAMAccountName={0})
User principal name	(userPrincipalName={0})
Telephone number	(telephoneNumber={0})
Login name or common name	(\|(sAMAccountName={0})(CN={0}))

Note: The only valid pattern is {0}, which means that MVE searches for the MVE user login name.

Allow nested user search—The system searches all the nodes under the user search base.
Group search base—The node in the LDAP community server where the user groups that correspond to the MVE roles exist. This node is under the root DN where all the group nodes are listed. For example, ou=group.
Group search filter—The parameter for locating a user within a group that corresponds to a role in MVE.
Note: Only the {0} and {1} patterns can be used. If {0} is used, then MVE searches for the LDAP user DN. If {1} is used, then MVE searches for the MVE user login name.
Group role attribute—The attribute that contains the full name of the group. For example, cn.
Allow nested group search—The system searches all the nodes under the group search base.

From the Binding Information section, select a binding type.

Anonymous—This option is selected by default. The MVE server does not produce its identity or credentials to the LDAP server to use the LDAP server lookup facility. The follow-up LDAP lookup session uses only unencrypted communication.
Simple—The MVE server produces the specified credentials to the LDAP server to use the LDAP server lookup facility. If the server port is set to 389, then the communication with the LDAP server is unencrypted. If the port is set to any other value, then the communication is encrypted.
1. In the “Bind distinguished name” field, type the bind DN.
2. Type the bind password, and then confirm the password.
TLS—The system uses Start TLS encrypted communication between the MVE server and the LDAP server. The MVE server fully authenticates itself to the LDAP server using the MVE server identity (bind DN) and credentials (bind password). TLS works only when using port 389.
1. In the “Bind distinguished name” field, type the bind DN.
2. Type the bind password, and then confirm the password.

Kerberos—To configure the settings, do the following:

Click Choose File, and then browse to the krb5.conf file.
In the “Encryption method” menu, select whether to use SSL encryption.

Select the authentication type.

If the authentication type is set to KDC name/password, then configure the settings.

Type the Key Distribution Center (KDC) name.
Type the KDC password, and then confirm the password.

Note: If you want clients to log in using Windows Authentication, then use Kerberos authentication. A service principal name (SPN) and a keytab file must be created on the LDAP server. After the authentication method is set up, clients not on the localhost are authorized to use MVE based on their client account. To change the LDAP settings without a valid client account, access MVE from the localhost using a local administrator account. When using Kerberos authentication, the Test LDAP feature does not validate if the SPN or keytab files are properly set up, and the authentication may fail.

Note: For Simple, TLS, and Kerberos binding, MVE must trust the LDAP server certificate. For more information, see Installing LDAP server certificates.

From the “LDAP Groups to MVE Role Mapping” section, enter the names of the LDAP groups that correspond to the MVE roles.

Notes:

For more information, see Understanding user roles.
You can assign one LDAP group to multiple MVE roles, and you can also type more than one LDAP group in a role field.
When typing multiple LDAP groups in the role fields, use the vertical bar character (|) to separate multiple LDAP groups. For example, if you want to include the admin and the assets groups for the Admin role, then type admin|assets in the “LDAP groups for Admin role” field.
If you want to use only the Admin role and not the other MVE roles, then leave the fields blank.

Click Save Changes.