Importing external LDAP users and user groups

After you complete the tasks in this section, your users will be able to log in to the SA Client with their LDAP user names and passwords.

This method does not import LDAP user groups. If you want to import users and user groups, see Importing LDAP users and user groups using LDAP authentication configuration.

To import external users with the SA Client, perform the following steps:

  1. In the SA Client navigation pane, select the Administration tab. This displays the Users and Groups node in the navigation pane.
  2. Open the Users and Groups node in the navigation pane. This displays the Users node.
  3. Select the Users node. This displays all your SA users.
  4. Select the Actions > Import Users menu. This displays information from your LDAP directory.
  5. Select the Import Users tab. This displays all the users in your LDAP directory.
  6. Select one or more users.
  7. You can optionally assign the users to one or more users groups. Select the Assign Groups tab, and select one or more user groups.
  8. Select the Import Users button. This imports the users into SA.

Importing LDAP users and user groups using LDAP authentication configuration

LDAP Authentication Configuration is a command line tool used to configure LDAP and import users and user groups into SA. This can be a complex process that requires some preparation.

Once LDAP has been configured, the LDAP Users & User Groups Synchronization APX can also be used to import LDAP users and user groups into SA.

You should not edit user groups being maintained by LDAP synchronization. These user groups are indicated by the description, __DO_NOT_EDIT__MAINTAINED_BY_LDAP_SYNC_.

See the following sections for ore information:

Prerequisites

The LDAP Authentication Configuration tool is a script that must be run on an SA Core’s Slice Component bundle host. Before running the script, you must have the following information available:

LDAP authentication configuration prerequisites

Prerequisite

Description

Hostname

Semicolon separated list of fully-qualified host name (FQHN) or IP address of the LDAP directory server that SA is to use. Only the first listed host is used for communication, the other hosts are used to handle failover scenarios.

LDAP server port

The LDAP directory server port. The default SSL port is 636 and the default non-SSL port is 389. SA does not support StartTLS.

SSL

Is SSL authentication required by your LDAP directory server? If SSL is enabled, you must supply the trusted CA certificates used to validate the server’s SSL certificate.

Trusted CA certificates to validate server SSL certificate

The complete path to the file on the LDAP directory server containing the trusted CA certificates, in PEM format, used to verify the LDAP directory server’s SSL certificate.

SSL with mutual (or two-way) authentication

You must supply the following information:

Trusted CA certificates to validate server SSL certificate

Trusted CA certificates to validate client SSL certificate

Client certificate and (unencrypted) private key.

SSL with client authentication enabled

The complete path to the file containing the trusted CA certificates, in PEM format, used to verify the SSL client certificate.

The complete path to the file containing the client SSL certificate and its corresponding private key, in PEM format. The client private key must not be encrypted.

Anonymous search to the Directory Information Tree (DIT)

Does the LDAP directory allow anonymous searches to the DIT where user information is stored? Note that this implies that anonymous bind is allowed. For example, does an anonymous user (a user who did not supply a bind DN and password) have read access to the DIT? For most enterprises, anonymous search is not allowed. If anonymous search is disabled, you must supply the bind DN and password of a user who has read access to the DIT.

Bind DN

Required only if anonymous search is disabled. The bind DN for the user who has read access to the DIT.

Bind password

Required only if anonymous search is disabled. The bind password for the user who has read access to the DIT.

Attribute for unique user name

The attribute for the unique user name.

For Active Directory, the default is SAMAccountName.

For Novell eDirectory, the default is cn.

For all other vendors, the default is uid.

Attribute for user display name

The attribute for the user display name.

For Active Directory, the default is displayName.

For Novell eDirectory, the default is fullName.

For all other vendors, the default is cn.

Base DN

The base DN, or the portion of the DIT to be considered when searching for users during the user import operation. The LDAP Authentication Configuration tool uses a subtree search; therefore, the search filter is only applicable to users at or below the base DN.

Search Filter Template

The Search Filter Template is used, with optional filter substitution, as the filter in the LDAP search for the user import.

Any dollar sign ($) character in the template is replaced by the filter string specified in the Import Users page of the SA Client. (The default value is an asterisk (*), which matches all entries.)

For Active Directory, the default is (&(sAMAccountName=$)
(objectCategory=person)
(objectClass=user)
(sAMAccountType=805306368))
.

For Novell eDirectory, the default is (&(cn=$)(objectClass=person)).

For all other vendors, the default is uid=$.

LDAP authentication configuration

When you run LDAP Authentication Configuration, you will be prompted depending on whether your LDAP Directory server requires SSL authentication and whether anonymous search is allowed.

Anonymous Search: No

SSL: No

  1. Log in to a server hosting a Slice Component bundle for your SA Core.
  2. Log in as the twist user:

    su twist

  3. Issue the following command:

    cd /opt/opsware/twist

  4. Invoke LDAP Authentication Configuration:

    ./ldap_config.sh

  5. Enter the necessary information. Enter N when asked if anonymous search is allowed. Enter N when asked if SSL setup is required.
  6. After the tool completes, ensure that LDAP authentication configuration is successfully validated and stored.
  7. Log on to the Command Center and ensure that external user import works.
  8. Ensure that you can log on to the Command Center as an LDAP user.

Note: When running the ldap_config.sh script to import ldap users into a Server Automation (SA) core, with a special bind configured, the following message might appear, and the script fails:

Error: failed to verify LDAP search configuration. message=null
Failed to verify LDAP search configuration with the specified LDAP directory server.
Please correct your answers.

Additional tests with ldapsearch work, as does ldap_config.sh with a different base bind.

The error is caused when the ldap_config.sh script attempts to resolve a referral to one of the DomainDnsZones handling the bind data and encountered a timeout. Unless the script can follow the referral, it cannot validate/populate the ldap entry, resulting in the error messages.

To resolve this issue:

1. Verify that the DomainDnsZones are reachable from the core. For example, if you are trying to use a Base bind "DC=A1,DC=B2,DC=C3,DC=com", make sure that DomainDnsZones.A1.B2.C3.com:636 is reachable from the core. If it is not, check if firewalls or routers are functioning correctly.

2. If using SSL with ldap, try running ldap_config.sh without SSL. If this works, use the following command to examine the certificate returned by AD:

openssl s_client -CAfile /var/opt/opsware/crypto/twist/ldapcert.pem -connect DomainDnsZones.LA.FRD.DIRECTV.com:636

3. If non-SSL works, add the LDAP server certificate into /var/opt/opsware/crypto/twist/ldapcert.pem.

Anonymous Search: Yes

SSL: No

  1. Log in to a server hosting a Slice Component bundle for your SA Core.
  2. Log in as the twist user:

    su twist

  3. Issue the following command:

    cd /opt/opsware/twist

  4. Invoke LDAP Authentication Configuration:

    ./ldap_config.sh

  5. Enter the necessary information. Enter Y when asked if anonymous search is allowed. Enter N when asked if SSL setup is required.
  6. After the tool completes, ensure that LDAP authentication configuration is successfully validated and stored.
  7. Log on to the Command Center and ensure that external user import works.
  8. Ensure that you can log on to the Command Center as an LDAP user.

Anonymous Search: No

SSL: Yes (SSL server authentication only)

  1. Log in to a server hosting a Slice Component bundle for your SA Core.
  2. Log in as the twist user:

    su twist

  3. Issue the following command:

    cd /opt/opsware/twist

  4. Invoke LDAP Authentication Configuration:

    ./ldap_config.sh

  5. Enter N when asked if anonymous search is allowed. Enter Y when asked if SSL setup is required. Answer N when asked whether to use SSL client authentication.
  6. After the tool completes, ensure that LDAP authentication configuration is successfully validated and stored.
  7. Log on to the Command Center and ensure that external user import works.
  8. Ensure that you can log on to the Command Center as an LDAP user.

Anonymous Search: No

SSL: Yes (SSL mutual authentication required)

  1. Log in to a server hosting a Slice Component bundle for your SA Core.
  2. Log in as the twist user:

    su twist

  3. Issue the following command:

    cd /opt/opsware/twist

  4. Invoke LDAP Authentication Configuration:

    ./ldap_config.sh

  5. Enter N when asked if anonymous search is allowed. Enter Y when asked if SSL setup is required. Enter Y when asked whether to use SSL client authentication.
  6. After the tool completes, ensure that LDAP authentication configuration is successfully validated and stored.
  7. Log on to the Command Center and ensure that external user import works.
  8. Ensure that you can log on to the Command Center as an LDAP user.

Anonymous Search: Yes

SSL: Yes (SSL server authentication only)

  1. Log in to a server hosting a Slice Component bundle for your SA Core.
  2. Log in as the twist user:

    su twist

  3. Issue the following command:

    cd /opt/opsware/twist

  4. Invoke LDAP Authentication Configuration:

    ./ldap_config.sh

  5. Enter Y when asked if anonymous search is allowed. Enter Y when asked if SSL setup is required. Enter N when asked whether to use SSL client authentication.

Anonymous Search: Yes

SSL: Yes (SSL mutual authentication required)

  1. Log in to a server hosting a Slice Component bundle for your SA Core.
  2. Log in as the twist user:

    su twist

  3. Issue the following command:

    cd /opt/opsware/twist

  4. Invoke LDAP Authentication Configuration:

    ./ldap_config.sh

  5. Enter Y when asked if anonymous search is allowed. Enter Y when asked if SSL setup is required. Enter Y when asked whether to use SSL client authentication.

The values shown as defaults are the values saved during the last LDAP Authentication Configuration Tool session.

Example - LDAP authentication configuration session

./ldap_config.sh

 

Retrieving LDAP configuration ...

LDAP Connectivity Configuration

Enter the fully-qualified host name or IP for the LDAP directory server [sample-centos.example.com] :

Does the LDAP directory server require SSL? [N] :

Enter the port number for the LDAP directory server [8389] :

Does the LDAP directory server support anonymous bind and anonymous read access to the directory information tree? [N] :

Enter the bind distinguished name (DN) of the user who has read access to the directory information tree (DIT)
[cn=Administrator,cn=users,dc=hyrule,dc=local] :

Do you want to change the bind password for cn=Administrator,cn=users,dc=hyrule,dc=local [N] :

 

You have entered the following information:

LDAP Directory Server FQHN/IP                     : sample-centos.example.com

LDAP Directory Server Port                        : 8389

SSL Enabled?                                      : false

Bind DN                                           : cn=Administrator, cn=users,dc=hyrule,dc=local

Bind Password Provided?                           : true

 

Is this correct? [Y] :

 

Verifying LDAP directory server connectivity ...

found naming context : DC=hyrule,DC=local

found naming context : CN=Configuration,DC=hyrule,DC=local

found naming context : CN=Schema,CN=Configuration,DC=hyrule,DC=local

found naming context : DC=DomainDnsZones,DC=hyrule,DC=local

found naming context : DC=ForestDnsZones,DC=hyrule,DC=local

LDAP directory server connectivity successfully verified.

 

LDAP Search Configuration

Is the LDAP directory server an Active Directory (AD) directory server? [Y] :

Enter the LDAP attribute for the unique username [SamAccountName] :

Enter the LDAP attribute for the user's display name [cn] :

Enter the LDAP search filter template [(&(sAMAccountName=$)(objectCategory=person)(objectClass=user)

(sAMAccountType=805306368))] :

Enter the LDAP search base distinguished name (DN). Usually this is the root naming context. [cn=users,dc=hyrule,dc=local] :

 

You have entered the following information:

LDAP Unique Username Attribute : SamAccountName

LDAP User Display Name Attribute : cn

LDAP Search Filter Template : (&(sAMAccountName=$)(objectCategory=person)(objectClass=user)
(sAMAccountType=805306368))

LDAP Search Base Distinguished Name (DN) : cn=users,dc=hyrule,dc=local

 

Is this correct? [Y] :

 

Verifying LDAP search configuration ...

To test LDAP search configuration, you must provide a username of a LDAP directory user to search.

LDAP search configuration is successfully verified only if the given user is successfully returned by the LDAP

directory server.

Enter a username to search : *

 

You have entered the following information:

Username To Search : *

 

Is this correct? [Y] :

 

Resulting LDAP Search Filter : (&(sAMAccountName=*)(objectCategory=person)(objectClass=user)(sAMAcco

untType=805306368))

Searching LDAP directory server for user * ...

Found 4 users

 

DN : CN=Administrator,cn=users,dc=hyrule,dc=local

cn : Administrator

SamAccountName : Administrator

 

DN : CN=Guest,cn=users,dc=hyrule,dc=local

cn : Guest

SamAccountName : Guest

 

DN : CN=krbtgt,cn=users,dc=hyrule,dc=local

cn : krbtgt

SamAccountName : krbtgt

 

DN : CN=link,cn=users,dc=hyrule,dc=local

cn : link

SamAccountName : link

 

Is this correct? [Y] :

LDAP search configuration successfully verified.

Enter the LDAP search filter template to search user groups [(&(cn=$)(objectCategory=group))] :

Enter the LDAP attribute for the unique user group name [SamAccountName] :

Enter the LDAP attribute in the user group LDAP object class which contains the DNs of its members [

member] :

 

You have entered the following information:

LDAP Search User Group Base DN : cn=users,dc=hyrule,dc=local

LDAP Search User Group Search Filter Template : (&(cn=$)(objectCategory=group))

LDAP Unique User Group Name Attribute : SamAccountName

LDAP Search User Group Membership Attribute : member

 

Is this correct? [Y] :

 

Verifying LDAP user group synchronization configuration ...

Searching LDAP directory server for all users and user groups ...

Searching LDAP directory server for all LDAP users ...

 

Resulting LDAP Search Filter For All LDAP Users : (&(sAMAccountName=*)(objectCategory=person)(object

Class=user)(sAMAccountType=805306368))

Found 4 LDAP users

 

Parsing search results ...

Searching LDAP directory server for all LDAP user groups ...

 

Resulting LDAP Search Filter For All LDAP User Groups : (&(cn=*)(objectCategory=group))

Found 16 LDAP user groups

 

Parsing search results ...

Do you wish to display detail search result? [N] : y

Parsing search results ...

Denied RODC Password Replication Group: 2 members

Administrator : cn=administrator,cn=users,dc=hyrule,dc=local

krbtgt : cn=krbtgt,cn=users,dc=hyrule,dc=local

Allowed RODC Password Replication Group: 0 members

Enterprise Read-only Domain Controllers: 0 members

Group Policy Creator Owners: 1 members

Administrator : cn=administrator,cn=users,dc=hyrule,dc=local

Domain Controllers: 0 members

Cert Publishers: 0 members

Domain Users: 0 members

Enterprise Admins: 1 members

Administrator : cn=administrator,cn=users,dc=hyrule,dc=local

Schema Admins: 1 members

Administrator : cn=administrator,cn=users,dc=hyrule,dc=local

DnsAdmins: 0 members

Read-only Domain Controllers: 0 members

RAS and IAS Servers: 0 members

Domain Guests: 0 members

Domain Admins: 1 members

Administrator : cn=administrator,cn=users,dc=hyrule,dc=local

Domain Computers: 0 members

DnsUpdateProxy: 0 members

Is this correct? [Y] :

LDAP user group synchronization configuration successfully verified.

 

The following properties will be stored into global configuration.

aaa.ldap.hostname=gyee-centos.cup.hpe.com

aaa.ldap.port=8389

aaa.ldap.ssl=false

aaa.ldap.search.binddn=cn=Administrator,cn=users,dc=hyrule,dc=local

aaa.ldap.search.pw=true

aaa.ldap.search.naming.attribute=SamAccountName

aaa.ldap.search.display.name.attribute=cn

aaa.ldap.search.filter.template=(&(sAMAccountName=$)(objectCategory=person)
  (objectClass=user)(sAMAccountType=805306368))

aaa.ldap.search.base.template=cn=users,dc=hyrule,dc=local

aaa.ldap.enable.users.groups.sync=true

aaa.ldap.search.usergroup.naming.attribute=SamAccountName

aaa.ldap.search.usergroup.membership.naming.attribute=member

aaa.ldap.search.usergroup.base.template=cn=users,dc=hyrule,dc=local

aaa.ldap.search.usergroup.filter.template=(&(cn=$)(objectCategory=group))

 

Are you sure? [Y] :

Saving LDAP configuration ...

LDAP configuration successfully saved.

Synchronizing LDAP users

After you have completed the LDAP Authentication Configuration process, you can use the ldap_sync.sh tool to synchronize LDAP users and groups with the SA database from the command line, as described below.

You can also run the LDAP Users & User Groups Synchronization APX from the SA Client to schedule the synchronization process. This program APX (formerly named, "ldap.user_and_usergroups_sync") is listed in the SA Client under SA Library > By Type > Extensions > Program.

For instructions on running APXs, see the "Run Extensions on Managed Servers" section in the SA 10.51 Use section. This topic is also available in the SA Client help: From the list of Program APXs in the SA Client, click F1 to open the page help, then click the heading link (Extensions: Properties) to open the how-to topic.

To synchronize LDAP users and user groups using ldap_sync.sh:

On a server hosting a Slice Component bundle for your SA Core, log in as the twist user:

su twist

Issue the following command:

cd /opt/opsware/twist

Invoke LDAP synchronization:

./ldap_sync.sh

You will see output similar to the following:

Retrieving LDAP configuration ...

Verifying LDAP server connectivity ...

 

User Synchronization Phase

Searching LDAP directory server for all LDAP users ...

Found 4 LDAP users

Parsing search results ...

4 LDAP users do not exist in SA

Creating them now ...

Creating user cn=link,cn=users,dc=hyrule,dc=local

Creating user cn=krbtgt,cn=users,dc=hyrule,dc=local

Creating user cn=guest,cn=users,dc=hyrule,dc=local

Creating user cn=administrator,cn=users,dc=hyrule,dc=local

 

User Group Synchronization Phase

Searching LDAP directory server for all LDAP user groups ...

Found 16 LDAP user groups

Parsing search results ...

creating user group Denied RODC Password Replication Group

creating user group Allowed RODC Password Replication Group

creating user group Enterprise Read-only Domain Controllers

creating user group Group Policy Creator Owners

creating user group Domain Controllers

creating user group Cert Publishers

creating user group Domain Users

creating user group Enterprise Admins

creating user group Schema Admins

creating user group DnsAdmins

creating user group Read-only Domain Controllers

creating user group RAS and IAS Servers

creating user group Domain Guests

creating user group Domain Admins

creating user group Domain Computers

creating user group DnsUpdateProxy

Updating user groups no longer found in LDAP ...

 

LDAP Users & User Groups Sync Results

==================================================================

Number of LDAP Users Found : 4

Number of LDAP Users Does Not Exist In SA : 4

Number of LDAP Users Successfully Created in SA : 4

Number of LDAP Users Failed To Create In SA : 0

 

Number of LDAP User Groups Found : 16

Number of LDAP User Groups Successfully Updated in SA : 0

Number of LDAP User Groups Successfully Created in SA : 16

Number of SA User Groups No Longer in LDAP : 0

Number of SA User Groups Failed To Update : 0

Number of LDAP User Groups Failed To Process : 0

 

Elapsed Time : 00:00:27

================================================================

LDAP users removed from the LDAP directory will not be removed from SA; however, these user will not be able to log in to SA because their corresponding authentication information has been removed from the LDAP directory.

LDAP user with the same user ID as an existing SA user will be skipped regardless of the user’s credential store type. SA will neither create nor update duplicated users.