User Data sources¶
Note
Review Join Domain
During the Join Domain Wizard an UDS can be added o not, this can be added as a object in the CMDB.
Going to ON CMDB -> User Data Sources can be defined an user data source, this allows to use identities in the authorization process, AD attributes are used to be part of the authorization process, for instance if a user is member of on group on AD can be assigned different level of access, for instance VLANs.
Having the openNAC Core added into the domain and UDS configured is possible to define different authorization policies.
To add a new UDS is required to complete the following information:
| Parameter | Description |
|---|---|
| Name | is the name used by the UDS, in this case this is a UDS type LDAP/AD and for this reason, for instance: AD Mycompany |
| Type | is defined as LDAP/AD, Database connection could be used to get user attributes. |
| Read only | if the query is launched with a real only flag, this will avoid any write action in the commands. |
| Enabled | The UDS can be enabled and disabled. |
| LDAP Host | The LDAP/AD IP where the queries are launched, for instance: 172.16.11.5, additional ips can be added. |
| LDAP Port | The port used for the AD/LDAP Search query by default use an unsecure connection, default is 389 and if AD/LDAP SSL is enabled is 636. |
| LDAP Username | Is the user registered in the AD/LDAP server, this allows to bind aud use AD/LDAP information, for instance the user created in the picture in the active directory is Step 1. |
| LDAP Password | Is the password for the AD/LDAP binding. |
| LDAP Base DN | BaseDN in the top of the domain name structure, our domain is named mycompay.local and its BaseDN is DC=mycompany,DC=local. |
| LDAP AccountDomainName | Is the DNS name for the domain in uppercase, in this case MYCOMPANY.LOCAL. |
| LDAP AccountDomainName Short | Is the short name for the domain or commonly named NETBIOS name, for instance MYCOMPANY. |
| LDAP AccountFilterFormat | is the attribute used to select users, we have included two options (only one must be used), in this example is defined (sAMAccountName=%s) for Active Directory and (uid=%s) for LDAP Servers. |
| LDAP Bindrequires DN | The bindDN DN is basically the credential you are using to authenticate against an LDAP. When using a bindDN it usually comes with a password associated with it, sometimes anonymous binding doesn’t allow certain types of actions. |
| LDAP Uid attr | Is the attribute used to identity users IDs, depending if AD or LDAP is used the filter change. |
| LDAP Mail attr | Is the filter use to identify the mail as an attribute of the user. |
| LDAP Phone attr | Is the filter use to identify the phone number as an attribute of the user. |
| LDAP Group attr | Is the filter use to identify the groups as an attribute of the user. |
| Enable LDAPS | Is used to authenticate and authorize users where LDAP communication is transmitted over an SSL tunnel port 636 TCP. |
| Enable TLS | Is used to secure communication between LDAP clients and LDAP servers. |
Going to ON CMDB -> User data Sources as shown by the Step 1 is possible to see which users data sources are available to be used by the product itself, by default 2 UDS are created and the LDAP/Active Directory or others external database can ben added.
Out of the box user data source are:
- LocalDB: this is local database based on MySQL.
- Sample ldap: this is a local ldap service that can be used for proof of concepts, is not recommended for productive environments.
Others can be:
- Active Directory (optional): This is the connection established with Active Directory.
- LDAP Server.
- External Database or many others.
At the steps 2 we can identify UDS’s status and its connection details.
Going to ON CMDB -> User Data Sources as shown by the Step 1 we can chose an Active Directory and check its status, connection details and if its enabled and disabled.
Going to ON CMDB -> User Data Source as shown by the Step 1 we can manage group authorizations, we can use local groups to authorized administration roles but also is possible to use Active Directory Groups, this allows us delegate administration portal identities and profiles to any Active Directory Group.
Role based in AD Groups¶
Going to ON CMDB -> LDAP/AD Filters as shown by the step 1 is possible to create a User roles based on AD groups.
We assume that there is a rol called “administrator”.
In order to assign groups of Active Directory we have to go to the step 2, “Manage group authorization”.
To add a new Group authorization we have to follow the step 3.
As soon as a new group authorization is required to select the AD group (Corporate_Users) as shown by the step 4 and assign the role “administrator” as shown by step 5.
these roles are used to manage access to openNAC Web administration portal. Remember that Active Directory Groups or LDAP can be used to create roles.
As example with active directory go to the Manage group authorizations as shown by Step 1, after that press to Add new where you will be able to map the AD group and the local role that in this case is administrator as shown by Step 3.
Previous steps when LDAPS or TLS enabled¶
In order to connect to the server using ssl we need to trust the certificate issued.
If ssl is not yet activated in the AD server this tutorial may be helpful to enable it:
http://www.javaxt.com/Tutorials/Windows/How_to_Enable_LDAPS_in_Active_Directory
Install the ca-certificates package:
yum install ca-certificates
Enable the dynamic CA configuration feature:
update-ca-trust enable
To get the public root CA, we can use the following command, to view the Active Directory certificate information, where “server” is the FQDN or IP server:
openssl s_client -showcerts -connect server:636 </dev/null | openssl x509 -text -noout
With that information, we could obtain the URL to download the CA certificate based on “Authority Information Access: CA Issuers” section. If the previous command does not work, we can ask for public certificate file to administrators. The file would have to be like:
-----BEGIN CERTIFICATE-----
MIIDWTCCAkGgAwIBAgIQG5sNj3OqU69C1kh4+Z6oMzANBgkqhkiG9w0BAQ0FADA/
MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgRhY21lMRAw
DgYDVQQDEwdhY21lLUNBMB4XDTE5MTAyMTE0NTMzNVoXDTI0MTAyMTE1MDMzNVow
PzEVMBMGCgmSJomT8ixkARkWBWxvY2FsMRQwEgYKCZImiZPyLGQBGRYEYWNtZTEQ
MA4GA1UEAxMHYWNtZS1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ALOTvg/OcABHWMLhfHivGRptpbr7K0afOiPAejEqnrdE75zINM21VaLD+wIOoB4f
sQQTWu7GKPRoTzCEzh1oaqw9usiyDAiXMohi9plxIvg6ueJDBAoLnUBo8emIzWzA
4ZZT7kYNvhUcTjQWtuZL3tBa/vHW5eb5tsXg3GKZJoQyvyDeZw8Q+aY66AQR9/N8
GHPmSLP68us4Hs4YiMw4zEQvGjeV7w6o3mvA+6Q4RAeKVzL5ovr6cws46iMN0wW1
le3RkAidbnLzAq8WnyePxtt0UXywwZzAi2HsSkYvXJjj9HxcD9ycXcfThAJ/GgDM
jyJ4iE6Vuhb/ddZGlr3mavcjdirejdclpE8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFMchuxqQkdel/jKewzF5zv+N5N9LMBAGCSsGAQQB
gjcVAQQDAgEAMA0GCSqGSIb3DQEBDQUAA4IBAQBO+harKEtEfx7UsbKVHOgUlSK0
ijrGI9d7t+E7yC/2xkNE/CNwiZuoSZOcotftoTSwQgzdfr5Ck4ZEv8LbWmq0fscz
4e52yjkI8yqY+4KF/YPUvO4xcjmRPVpatiNxPT2pX0GD4fABPlc3tzsNpQIZBi/4
A/vCXNlJuUaJLET++7RberkAI6vy6uH8yTYiiuhgvnKLs8Ao8W2Ur1n6BHyYR9WB
Qm7J9sO1ddbjvgEb6kQ/vSb8MtgX1wrNB5OZ6Cz/IzSWg1Yy0w73Z3hf2Yr93nQm
yvEdIK97JPv5Q5LnY9iw89yldVbEdj9Ee9lhDO2pGqhLwgCugkZjlaHmHl0W
-----END CERTIFICATE-----
Add it as a new file to /etc/pki/ca-trust/source/anchors/:
cp CACERT.crt /etc/pki/ca-trust/source/anchors/
Use command:
update-ca-trust extract