Enabling LDAP server authentication

LDAP is a standards-based, cross-platform, extensible protocol that runs directly on top of TCP/IP. It is used to access specialized databases called directories.

To avoid maintaining multiple user credentials, you can use the company LDAP server to authenticate user IDs and passwords.

As a prerequisite, the LDAP server must contain user groups that correspond to the required user roles. For more information, see Understanding user roles.

Click Settings on the upper-right corner of the page.

Click LDAP, and then select Enable LDAP for authentication.

In the LDAP server hostname field, type the IP address or the host name of the LDAP server where the authentication occurs.

Note: If you want to use encrypted communication between the MVE server and the LDAP server, then use the fully qualified domain name (FQDN).

Specify the server port number according to the encryption protocol selected.

Select the encryption protocol.

None
TLS—A security protocol that uses data encryption and certificate authentication to protect the communication between a server and a client. If this option is selected, then a START_TLS command is sent to the LDAP server after the connection is established. Use this setting if you want a secure communication over port 389.
SSL/TLS—A security protocol that uses public-key cryptography to authenticate the communication between a server and a client. Use this option if you want a secured communication from the start of the LDAP bind. This option is typically used for port 636 or other secured LDAP ports.

Select the binding type.

Anonymous—This option is selected by default. The MVE server does not produce its identity or credentials to the LDAP server to use the LDAP server lookup facility. This option is depreciated in nearly all LDAP implementations and must never be used.
Simple—The MVE server produces the specified credentials to the LDAP server to use the LDAP server lookup facility.
1. Type the bind user name.
2. Type the bind password, and then confirm the password.
Kerberos—To configure the settings, do the following:
1. Type the bind user name.
2. Type the bind password, and then confirm the password.
3. Click Choose File, and then browse to the krb5.conf file.
SPNEGO—To configure the settings, do the following:
1. Type the service principal name.
2. Click Choose File, and then browse to the krb5.conf file.
3. Click Choose File, and then browse to the Kerberos keytab file.
This option is used only for configuring the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) to support the Single Sign-On functionality.

From the Advanced Options section, configure the following:

Search Base—The base distinguished name (DN) of the root node. In the LDAP community server hierarchy, this node must be the ancestor of the user node and group node. For example, dc=mvptest,dc=com.
Note: When specifying the root DN, make sure that only dc and o are part of the root DN. If ou or cn is the ancestor of the user and group nodes, then use ou or cn in the user and group search bases.
User search base—The node in the LDAP community server where the user object exists. This node is under the root DN where all the user nodes are listed. For example, ou=people.

User search filter—The parameter for locating a user object in the LDAP community server. For example, (uid={0}).

Examples of allowed multiple conditions and complex expressions
Log in using	In the User search filter field, type
Common name	(CN={0})
Login name	(sAMAccountName={0})
User Principal Name	(userPrincipalName={0})
Telephone number	(telephoneNumber={0})
Login name or common name	(\|(sAMAccountName={0})(CN={0}))

Note: The only valid pattern is {0}, which means that MVE searches for the MVE user login name.

Search User base object and whole subtree—The system searches all the nodes under the user search base.
Group search base—The node in the LDAP community server containing the user groups that correspond to the MVE roles. This node is under the root DN where all the group nodes are listed. For example, ou=group.
Group search filter—The parameter for locating a user within a group that corresponds to a role in MVE.
Note: Only the {0} and {1} patterns can be used. If {0} is used, then MVE searches for the LDAP user DN. If {1} is used, then MVE searches for the MVE user login name.
Group role attribute—Type the LDAP attribute for the full name of the group. An LDAP attribute has a specific meaning and defines a mapping between the attribute and a field name. For example, the LDAP attribute cn is associated with the Full Name field. The LDAP attribute commonname is also mapped to the Full Name field. Generally, this attribute must be left to the default value of cn.
Search User base object and whole subtree—The system searches all the nodes under the group search base.

From the LDAP Groups to MVE Role Mapping section, type the names of the LDAP groups that correspond to the MVE roles.

Notes:

For more information, see Understanding user roles.
You can assign one LDAP group to multiple MVE roles. You can also type more than one LDAP group in a role field, using the vertical bar character (|) to separate multiple groups. For example, to include the admin and assets groups for the Admin role, type admin|assets in the LDAP groups for Admin role field.
If you want to use only the Admin role and not the other MVE roles, then leave the fields blank.

Click Save Changes.