Configuring SBC for External Centralized Authentication using LDAP

Overview

The SBC Core is configurable using CLI and EMA interfaces, and the access to these interfaces are authenticated using the user credentials. User credentials are verified using external authentication. The user credentials can be sent to a remote Lightweight Directory Access Protocol (LDAP) for external centralized authentication. The username and password are sent to the remote LDAP server. The user is allowed/denied access to the SBC based on the response from the LDAP server. 

SBC users are currently segregated into the following groups which define the privileges of each user. Access to data/commands is allowed/prevented based on the group of the user who is trying to acquire the access.

• Administrator
• Operator
• FieldService
• Guest
• SecurityAuditor
• Calea

Configuring LDAP

Set External Authentication Type to LDAP

To configure LDAP authentication for the SBC Core, you must first enable external authentication and then configure the remote LDAP server.

1. Login to the SBC CLI.

2. Execute the following System Admin command:

   Example

   set system admin SBC-1 externalAuthenticationType ldap

Establish LDAP Authentication

Configure information to communicate with one or more LDAP servers using the OAM command.

set oam ldapAuthentication ldapServer ldap1 priority 1 transport tls binddn "ou=people,dc=example,dc=com" searchbase "dc=example,dc=com" ldapServerAddress 169.172.201.153 state enabled

The SBC provides Lightweight Directory Access Protocol (LDAP) support for Microsoft Active Directory (AD) services. LDAP support was added for logging into the confd via ssh or netconf to establish external centralized authentication. However, this support was developed for only Linux-style LDAP servers, not Microsoft's AD services. 

The LDAP Authentication configuration is enhanced to include an advanced mode which allows you to to bind a user with elevated privileges to the LDAP server in order for the SBC to search the entire LDAP database to determine the group for which the user is associated.

The following updates are made to the LDAP Authentication configuration to facilitate SBC LDAP support of Microsoft's AD services.

1. Genericized the LDAP bind parameter to support both AD and openldap schemas.

2. Added a new search parameter to allow querying the AD database for the user's group membership information.

3. Added two new parameters to specify a service username/password when performing the search described in #2.

4. Added a new table to specify the mapping of the groups returned by the search in #2.

Obtain groupName

Two methods are available to get the groupName.

Method 1:

Set the groupName parameter to the LDAP attribute that contains the groupname. For example, a user record of this type would look like the following using a sample directory entry for account "jsmith":

# jsmith, People, example.com

dn: uid=jsmith,ou=People,dc=example,dc=com

uid: jsmith

cn: Joe Smith

objectClass: top

objectClass: person

objectClass: inetOrgPerson

userPassword:: sunshine23!

groupName: Administrator

accessLevel: userAccessLevel1

In this case, the groupName attribute is set to groupName, and the groupName Administrator is returned.

Method 2:

If the groupName parameter is not set, then each filter in the filters table is tried until a match is made. A sample user entry in this case will not include the groupName attribute. Here is a sample directory entry for account "jsmith":

# jsmith, People, example.com

dn: uid=jsmith,ou=People,dc=example,dc=com

uid: jsmith

cn: Joe Smith

objectClass: top

objectClass: person

objectClass: inetOrgPerson

userPassword:: sunshine23!

accessLevel: userAccessLevel1

In this case, a filter (&(uid=%%USERNAME%% ) (accessLevel:=userAccessLevel1)) matches the accessLevel: userAccesLevel1 attribute, and the groupName is Administrator as configured in the filters table.

Obtain Correct privileges via LDAP Query

Configure a set of filters against predefined or custom groups to determine if the specified user is a member of those groups. Each filter is accessed in the order specified in the LDAP Filters table. If a filter returns at least one record, then the user is considered part of that group, and that group name is used.

set oam ldapAuthentication ldapFilters order 1 groupName Administrator filter (&(uid=%%USERNAME%% )(accessLevel:=userAccessLevel1)) 

Configure LDAP Servers

Configure SBC Core information to communicate with one or more LDAP servers. See Establish LDAP Authentication.

Configure LDAP Retry Criteria

Configure the LDAP Server Retry criteria settings the SBC uses to attempt another authentication request if a request fails, how many times to attempt an authentication retry, and how long the LDAP server remains out of service after a timeout.

set oam ldapAuthentication retryCriteria retryTime 1000 retryCount 3 oosDuration 60

Maintaining LDAP

Send a 're-enable' Command to Re-enable the LDAP Server

An LDAP server is marked "unavailable" when the SBC cannot reach it. Use the Request command to re-enable the LDAP server, which will set the status back to "available".

request oam ldapAuthentication ldapServer ldapServer1 reEnableServer

View LDAP Status

Use the following OAM command to view LDAP server status details.

% show table oam ldapAuthentication ldapStatus