- Overview
- Configuring Active Directory
- Multi-domain controllers in LDAP
- Security requirements
- Additional resources
Overview
To facilitate user access to the Login Enterprise virtual appliance, you need to configure Active Directory (AD) integration. The appliance offers two permission levels to choose from:
- Login Enterprise Administrator - this role grants full and unrestricted access to the appliance, enabling users to modify settings and configurations as needed.
- Login Enterprise Read-Only - this role allows users to view the Dashboard, Charting, Events, and Export Data functionalities, but does not permit them to make any modifications or changes.
If you are assigned to both permission groups, the highest level of permission takes precedence. For instance, Administrator permissions override Read-Only permissions.
Configuring Active Directory
To set up Active Directory integration, follow these steps:
- In the Login Enterprise sidebar menu, scroll down and find Other > Access Control.
For simplified access control, we recommend establishing distinct 'Administrators' and 'Read-Only' groups.
2. In Access Control, provide the following information:
Field |
Value |
AD Domain FQDN |
The fully qualified domain name (FQDN) of the domain used for authentication. |
Domain controller |
The domain controller responsible for processing the requests. As of Login Enterprise 5.10, you can configure up to 5 Domain Controllers for LDAP authentication. |
Port |
The port utilized for LDAP. |
SSL/TLS Settings |
|
AD Timeout |
The Active Directory controller's response time. As of Login Enterprise 5.6, you can extend the default 60-second AD timeout up to 180 seconds. |
Admin Group |
The group name for users granted administrator access to the Login Enterprise. |
Read-Only Group |
The group names of users granted read-only permissions to the Login Enterprise. |
3. Click Save Changes to apply your AD authentication integration. Following this, you can log out and log back in using your domain account.
Multi-domain controller in LDAP
The support for multiple domain controllers allows the configuration of up to five domain controllers for LDAP authentication. This ensures that if the primary domain controller becomes unavailable, the system will automatically attempt to connect with the next available controller in the list. The feature enhances the system’s availability and reliability by enabling a fail-over mechanism across multiple domain controllers (DC).
To configure and utilize it, as a Login Enterprise administrator, you need to have administrative access to the Login Enterprise.
Configuring multi-domain controllers
1. Access the Access Control panel: Navigate to the LDAP settings in your system’s administration console.
2. Update Domain Controllers list: Input the domain controllers in the order of priority in the field Domain controller as a semicolon-separated list. For example: devqadc1.internal.cloudapp.net; qadevdc2.internal.cloudapp.net; devqadc3.internal.cloudapp.net; devqadc4.internal.cloudapp.net; devqadc5.internal.cloudapp.net
a. All DCs must be available and the configured port (389) must be open.
b. Otherwise, the application throws an error message with incorrect DCs:
3. Save and apply changes: Confirm the settings and apply them to enable the feature.
4. Log off and log in again.
Using multi-domain controllers
Once configured, the system will handle authentication requests across the specified domain controllers without further user intervention.
1. In case one of the DCs is unavailable (stopped) the corresponding info is logged to the IdentitySerever container log:
[19:34:28 INF] Attempting to connect to LDAP server
[19:34:28 INF] Connecting to devqadc5.internal.cloudapp.net:389 (ssl: False)
[19:34:28 ERR] Connection failed to ldap://devqadc5.internal.cloudapp.net:389: Connect Error (Ldap result #91 Connect Error)
LdapException: Unable to connect to server devqadc5.internal.cloudapp.net:389 (91) Connect Error
System.Net.Internals.SocketExceptionFactory+ExtendedSocketException (00000005, 0xFFFDFFFF): Name or service not known
[19:34:28 INF] Connecting to devqadc1.internal.cloudapp.net:389 (ssl: False)
[19:34:28 INF] Connected to LDAP server
[19:34:28 INF] Attempting to bind to LDAP server with username: LEAdminAcct@czdemo.ad
[19:34:28 INF] Binding user credentials
[19:34:28 INF] Bind succeeded, authentication DN: LEAdminAcct@czdemo.ad
2. The same if the port is closed:
[09:50:45 INF] Connecting to devqadc5.internal.cloudapp.net:389 (ssl: False)
[09:50:45 INF] Checking if port 389 is open
[09:50:45 INF] Connecting to 10.0.0.9:389
[09:50:50 ERR] Connection failed to ldap://devqadc5.internal.cloudapp.net:389 due to configured timeout of 5 sec for port open check.
[09:50:50 INF] Connecting to devqadc1.internal.cloudapp.net:389 (ssl: False)
[09:50:50 INF] Checking if port 389 is open
[09:50:50 INF] Connecting to 10.0.0.5:389
[09:50:50 INF] Port 389 is open
[09:50:50 INF] Connected to LDAP server
[09:50:50 INF] Attempting to bind to LDAP server with username: LEAdminAcct@czdemo.ad
[09:50:50 INF] Binding user credentials
[09:50:50 INF] Bind succeeded, authentication DN: LEAdminAcct@czdemo.ad
[09:50:50 INF] Successfully bound to LDAP server
Security requirements
The minimum requirements for secure AD Authentication / LDAPS (port 636) are:
- Protocol TLS 1.2
- 2048-bit certificate
Additional resources
- For troubleshooting login problems with LDAP/Active Directory, see Login problems with LDAP/Active Directory (Note that this is a workaround/temporary solution if you’re using Login Enterprise 5.6, or higher).