Active Directory Authentication

Use the information in this section to set the directory services database (AD) and application protocol (LDAP) for Itential Automation Platform (IAP).

Define LDAP Groups

The groups that will be associated with various IAP applications must be defined in the authentication server.

• SystemAdmin
• DSOperator
• DSManager
• DSEngineer
• Developer

Below is an example of defined groups.

Create LDAP User for IAP

An LDAP user must be set up in the authentication database for IAP to use to connect to the LDAP server to run queries. This user does not need to be a member of any of the defined groups; user simply needs to be able to access the LDAP server.

Confirm Connection to LDAP Server

Before proceeding, verify the LDAP user can connect to the LDAP server. In addition to verifying the ability to connect to the LDAP server, this will provide multiple values needed later in this setup procedure.

This verification can be performed using the following command line tool, which needs to be installed on the IAP server. Once the tool has been installed, execute the following two commands:

Command

export LDAPTLS_REQCERT=never

• The purpose of this command is to force the connection to not use a certification key.
• Run this command only once per ssh session.
• Run this command only if you are connecting via SSL. It is best practice to do this.

Command

ldapsearch -H ldaps://<IP Address of LDAP Server>:<Port> -b '<Base DN>' -D <UserName>@<Domain> -w '<Password>' cn='<Common Name>' -s sub -x

• IP Address of LDAP Server: This will be the IP of your LDAP server. This will be provided by an AD administrator.
• Port: This is the port of the LDAP server. 636 is the standard for SSL connections. 389 is the standard port for non SSL connections.
• Base DN: This is provided by an AD administrator.
• UserName: This is the username that was created for IAP to connect to AD.
• Domain: This is provided by an AD administrator.
• Password: Password for IAP user.
• Common Name: This is provided by an AD administrator.

Below is an example of a successful ldapsearch connection.

Install LDAP Adapter

Use the following to add adapter-ldap to your IAP build and deploy the new build.

1. The ldap and local-aaa adapter can both be installed at the same time. However, only one adapter may be active at a given time.

   

2. Utilize multiple properties files for transferring between adapters (recommended best practice).

   • The example below shows three properties files are being utilized. One is a connection to the AAA authentication. The second is to the production LDAP server. The third is to the staging LDAP server.
   • To change the connection method, copy the correct properties file over the properties.json and restart IAP.
   • This is only required if you expect you will need to change between authentication methods.

   

Install Root Certificate

The authentication server administrator must provide a certificate for IAP to use.

1. Copy this certificate to /opt/pronghorn/current/custom/keys.
   • This will ensure the keys are copied over during an IAP upgrade.
   • You may need to create the directory keys.
2. Verify the permissions are set to 644.

Configure Properties File

Modify the IAP properties.json file to incorporate the new LDAP connection.

1. Create a backup of the configuration file.

2. Add the values to the configuration files. These values are from the previous ldapsearch command and in the groups created in IAP.

     {
       "id": "Prod LDAP",
       "type": "LDAP",
       "properties": {
         "domain": "<Domain>",
         "url": "ldaps://<IP Address>:<Port>",
         "bindUsername": "<User>@<Domain>",
         "bindPassword": "<Password>",
         "baseDN": "<Base DN>",
         "groupSearchFilter": "",
         "userSearchFilter": "sAMAccountName",
         "timeout": 5000,
         "healthCheckInterval": 5000,
         "connectTimeout": 5000,
         "idleTimeout": 5000,
         "timeLimit": 10,
         "reconnect": true,
         "activeDirectory": true,
         "customGroups" : [
           "Pronghorn DSManager",
           "Pronghorn Developer",
           "Pronghorn DSOperator",
           "Pronghorn DSEngineer",
           "Pronghorn SystemAdmin"
         ],
         "tlsOptions": {
           "secureProtocol": "TLSv1_method",
           "requestCert": true,
           "rejectUnauthorized": false,
           "ca": "/opt/pronghorn/current/custom/keys/root.cer"
         }
       },
       "groups": [],
       "brokers": [
         "aaa"
       ]
     },

3. Set-up the default admin groups in authentication props. You may add a list of LDAP groups whose members will be treated as IAP admins. Use the new Adapter ID as provenance, and the LDAP group name as the group.

   "authenticationProps": {
       "description": "Authentication",
       "uniqueSession": false,
       "admins": [
         { "provenance": "Prod LDAP", "group": "Pronghorn SystemAdmin" },
       ]
     },

4. Reload IAP for the new properties to be utilized.

Associate User Groups to Applications

After setting up the LDAP Adapter, you must associate your user groups with each IAP application and determine the roles they will have. This is done through the Groups section in Authorization Manager (Settings > Authorization > Groups).

Verify LDAP Connection

1. Login to the LDAP server using your login.
2. Open the IAP System view (Settings > System).
3. Go to Adapters to confirm the connection to the LDAP server.

Troubleshooting

1. Run the command journalctl -fu pronghorn. This command will display all output to the STDOUT.
2. Try to login to IAP using the browser and all errors will be displayed.