Tagged with LDAP - Visokio Forums http://forums.visokio.com/discussions/tagged/LDAP/feed.rss Mon, 30 Oct 17 15:01:18 -0400 Tagged with LDAP - Visokio Forums en-CA Security: LDAP Query Mechanism http://forums.visokio.com/discussion/2567/security-ldap-query-mechanism Fri, 23 May 2014 11:50:30 -0400 Veaceslav 2567@/discussions Mobile Web Server Authentication

LDAP Query Mechanism

LDAP Query authentication mechanism let's you configure Omniscope Mobile server to query an LDAP server to validate user credentials.
  • Users are stored and managed by an LDAP/Active Directory (AD) server
  • Omniscope Mobile server is configured to query the LDAP/AD server


Prerequisites


To configure Omniscope Mobile server to use LDAP query mechanism you need to know the following:
  • LDAP distinguished name (e.g CN=Users,DC=example,DC=com)
  • LDAP URL and port (e.g. LDAP://ldapserver.example.com:389)
  • LDAP security authentication type (e.g. simple, or CRAM-MD5, or DIGEST-MD5, or none)
  • Local domain name (e.g. example.com)
  • Whether your LDAP/AD server has been configured to use your trusted certificate (only if you want to use LDAPS instead of LDAP which does not need that information)

Configuration


  1. Start Omniscope Mobile server

    image

  2. On Mobile Web Server service section click Config, scroll down to Default folder configuration and click Edit

    image

  3. Either create a new group with new permissions, or edit an existing group

    image

    image

  4. Edit LDAP settings

    image

    • Type LDAP distinguished name (e.g CN=Users,DC=example,DC=com), it should match the distinguished name configured on your LDAP server
    • Optional: on the LDAP/AD server create a dedicated user to be used only by Omniscope Mobile server to authenticate users and add this user in the LDAP/AD Dedicated User section
      Setting a dedicated user will help authenticate other users by their account name (which may be composed of their first name and last name). By default, users are authenticated using their account id (sAMAccountName) only
    • Type LDAP URL
      This is a full URL pointing to your LDAP/AD server
      Example 1: 'LDAP://ldapserver.example.com:389' where LDAP is protocol name, ldapserver.example.com is the LDAP/AD server and 389 is the default port for the LDAP protocol
      Example 2: 'LDAPS://ldapserver.example.com:636' where LDAPS is LDAP over SSL protocol, ldapserver.example.com is the LDAP/AD server and 636 is the default port for the LDAPS protocol
    • Check Ignore Ssl certificate issues only if necessary (your LDAP/AD server has not been configured to use your trusted certificate and you want to use LDAPS protocol instead of LDAP )
    • Select the security authentication type supported by your LDAP/AD server.
      By default, LDAP/AD server uses a 'simple' security type. However, you should contact your administrator to check whether you need to use a different type like CRAM-MD5, or DIGEST-MD5, or none
    • Select principal name format. Choosing DOMAIN\{Name} or {Name}@DOMAIN will enable Omniscope server to prepend/append the domain name automatically if the user did not type it already
    • Type your local domain name to be appended to usernames automatically when authenticating users. This field will be disregarded if you selected {Name} for principal name format field



LDAP Filter


If you want to authorize only specific users from a LDAP group you should use the LDAP Filter option.

For instance, let's say you have a group 'CN=Sales,CN=Users,DC=example,DC=com' that has four users: john.smith, ellen.doe and two other users. However, you want to authorize only the first two users. To do so, click the LDAP Filter option and add the two users as shown below:
image

Note: The LDAP/AD attribute name should match exactly a user attribute name on your LDAP/AD server. E.g. 'sAMAccountName', and the values you add should match the actual property value for users that are authorized.
]]>
Security: Mobile Web Server Authentication using AD & LDAP+SSO http://forums.visokio.com/discussion/2564/security-mobile-web-server-authentication-using-ad-ldap-sso Fri, 23 May 2014 06:49:45 -0400 Veaceslav 2564@/discussions Mobile Web Server Authentication

Mobile Web Server Authentication


Mobile Server authentication has been redesigned to include LDAP/Active Directory (AD) authentication and Single-Sign-On (SPNEGO) mechanism while preserving the List Of Users (Omniscope Users) existing mechanism.

A realm defines a protection space. Realms allow the protected resources on the server to be partitioned into a set of protection spaces, each with its own authentication and authorization settings.

By default, all protected resources on the server are configured in the config.xml file. This is the (Home) realm. Specific folders may be manually configured to have their own set of permissions and authentication groups. For more information about folder permissions read this post.

Server permissions may be configured for anonymous users and for authentication groups.

A group may have a list of authentication mechanisms and server permissions.

For instance, the server may be configured to have a group named 'Data Analysts' with permissions to:
- List directory
- View in mobile
- Export view data
and authenticate users through LDAP Query and List Of Users.

image

Authentication mechanisms


List Of Users

List Of Users mechanism let's you define custom Omniscope users that are stored and managed by the Omniscope Mobile server. No third party servers/services are involved. Users are manually added/edited/removed by an administrator of the server.

A user name and a password has to be added for each individual user. Read this post for more information about List Of Users mechanism configuration.

LDAP Query

LDAP Query authentication mechanism let's you configure Omniscope Mobile server to query an LDAP server to validate user credentials.

  • Users are stored and managed by an LDAP/AD server
  • Omniscope Mobile server is configured to query the LDAP/AD server

To learn how to configure Omniscope server to use LDAP Query read this post.

SPNEGO (Single-Sign-On) Mechanism

SPNEGO (Single-Sign-On) mechanism allows users to authenticate automatically with their LDAP/AD account without asking them for credentials. Having a proper setup, authorized users never type their credentials in any dialog or form. Unauthorized users, however, are either prompted for credentials or are denied server access.

  • Users are stored and managed by an LDAP/AD server
  • LDAP/AD user password is never sent to Omniscope server
  • Omniscope Mobile server is configured to ask the LDAP/AD server to validate user tokens

How does SPNEGO work ?

The browser negotiates with the LDAP/AD server and gets a temporary ticket which is further used to generate temporary unique tokens that are included in every client/browser request sent to Omniscope Mobile server. The tokens contain no information about client user name, password, or any other sensitive data, they are simple strings that can be verified only by the LDAP/AD server. Whenever Omniscope Mobile receives requests having SPNEGO tokens, Omniscope Mobile asks the LDAP/AD for token validation and if the token is valid, LDAP/AD provides only the user name associated with that token. Omniscope server checks whether this user is authorized to be served the requested resource and proceeds accordingly.

To learn how to configure Omniscope server to use SPNEGO mechanism read this post.

Authentication Groups

A group may have multiple authentication mechanisms. Each mechanism will be used during authentication until the user authenticates successfully. If no group authorizes the action that has been requested by the user, the access will be denied.

You may want to temporarily disable groups instead of deleting them and then adding them back later when needed. Disabled groups are disregarded during authentication.

]]>