LDAP Configuration

Use the options on this page to configure Management and Security Server to use your LDAP server to regulate access to terminal sessions. The LDAP administrator for your organization can give you more information about how to configure these options.

LDAP server

Describe your LDAP server using these settings.

Server type

Select the type of LDAP server you are using from the list. The options on this page change depending on the LDAP server type you select. If you do not see your specific LDAP server in the list, select Generic LDAP Compliant Directory Server (RFC 2256).

Security options

Data can be passed between the Administrative Server and the LDAP server in clear text or encrypted. The type of encryption used depends on your LDAP server. Kerberos v. 5 is available for Windows Active Directory, and TLS/SSL for all other servers.

By default, Management and Security Server transmits data between the Administrative Server and the LDAP server in clear text. If you choose this option, you should prevent users from accessing the network link between these two servers.

Encryption type	Description
Kerberos v.5	When you select Windows Active Directory with Kerberos, you must enter the name of the Kerberos key distribution centers. Multiple key distribution centers, delimited by commas or spaces, can be used. If you do not know the name of the Kerberos key distribution center, enter the fully-qualified DNS name of the Active Directory server. The option under the key distribution center name field allows you to encrypt all data transmitted over the Kerberos connection. By default, only user names and passwords are passed securely between the Administrative and LDAP servers using Kerberos. Encrypting all data is more secure, but may increase performance overhead.
TLS/SSL	When you select TLS/SSL security, the Administrative Server negotiates a TLS or SSL v3 protocol version for the connection with the LDAP server. The protocol version negotiated with the LDAP server depends in part on the TLS and SSL protocol versions allowed by that server. The Administrative Server supports SSL v3 for backwards compatibility with older LDAP servers; however, use of SSL v3 is not recommended. If there are some TLS or SSL protocol versions that you do not want to use for LDAP connections, you should disable those protocol versions on the LDAP server. To configure security for TLS/SSL connections, you must first import the server’s trusted certificates into the JRE’s default trusted keystore: Import the certificate to the JRE's keystore file named "cacerts", located in [Management and Security Server Install Dir]\jre\lib\security. Example: C:\Program Files\Micro Focus\MSS\jre\bin>keytool -import -trustcacerts -alias myHost -file myHost.cer -keystore ..\lib\security\cacerts For more information, see the Java SE 8 documentation for the keytool security tool. Enter the Java keystore's default password: changeit Restart the Administrative Server.

Encryption type

Description

Kerberos v.5

When you select Windows Active Directory with Kerberos, you must enter the name of the Kerberos key distribution centers. Multiple key distribution centers, delimited by commas or spaces, can be used. If you do not know the name of the Kerberos key distribution center, enter the fully-qualified DNS name of the Active Directory server.

The option under the key distribution center name field allows you to encrypt all data transmitted over the Kerberos connection. By default, only user names and passwords are passed securely between the Administrative and LDAP servers using Kerberos. Encrypting all data is more secure, but may increase performance overhead.

TLS/SSL

When you select TLS/SSL security, the Administrative Server negotiates a TLS or SSL v3 protocol version for the connection with the LDAP server. The protocol version negotiated with the LDAP server depends in part on the TLS and SSL protocol versions allowed by that server. The Administrative Server supports SSL v3 for backwards compatibility with older LDAP servers; however, use of SSL v3 is not recommended. If there are some TLS or SSL protocol versions that you do not want to use for LDAP connections, you should disable those protocol versions on the LDAP server.

To configure security for TLS/SSL connections, you must first import the server’s trusted certificates into the JRE’s default trusted keystore:

Import the certificate to the JRE's keystore file named "cacerts", located in [Management and Security Server Install Dir]\jre\lib\security.

Example: C:\Program Files\Micro Focus\MSS\jre\bin>keytool -import -trustcacerts -alias myHost -file myHost.cer -keystore ..\lib\security\cacerts

For more information, see the Java SE 8 documentation for the keytool security tool.
Enter the Java keystore's default password: changeit
Restart the Administrative Server.

Server name

Enter the LDAP server name as either a name or a full IP address. If you selected TLS/SSL above, this LDAP server name must exactly match the Common Name on the LDAP server's certificate. Multiple server names, delimited by commas or spaces, can be used for failover support. If an LDAP server is down, the next server on the list will be contacted. In this case, all fields specified on this page that are used for LDAP connections should be available on all the LDAP servers, and should have identical configurations.
Server port

Enter the port used by your LDAP server. The default is 389 for plain text or 636 for TLS/SSL. If you are using Active Directory, you may wish to set the server port to the global catalog port, which is 3268 (or 3269 over TLS/SSL). Global catalog searches can be faster than referral-based cross-domain searches.
Username and password

Provide the username and password for an LDAP server account that can be used to access the directory in read-only mode. Generally, the account does not require any special directory privileges but must be able to search the directory based on the most common directory attributes (such as cn, ou, member and memberOf). Type in the password again in the Password confirmation box.

If this account password changes and the Administrative Server's configuration is not updated to use the new password, your users will get error messages when trying to authenticate. To resolve the problem, update the account password here and save your new settings. To avoid this problem, you may wish to set up an account that is not subject to automatic password aging policies, or that will not have the password changed by other administrators without notice.
NOTE: The user name must uniquely identify the user in the directory. The syntax depends on the type of LDAP server you are using.
- If you selected Windows Active Directory and Kerberos, enter the userPrincipalName (e.g., username@exampledomain.com). The userPrincipalName is case sensitive. Case sensitivity does not apply to end user logins.
- If you selected Windows Active Directory with Plain Text, enter the NetBIOS domain\samAccountName (e.g., exampledomain\username), userPrincipalName (e.g., username@exampledomain.com), or distinguished name (e.g., uid=examplename,DC=examplecorp,DC=com).
- If you selected any other LDAP server type, enter the distinguished name (for example, uid=examplename,DC=examplecorp,DC=com).

Search base and groups/folders

Directory search base

Enter the distinguished name of the node in the directory tree you want to use as the base for Administrative Server search operations. Examples: DC=my_corp,DC=com or o=my_corp.com. For more information about how to describe the search base, see the LDAP administrator for your organization.
Groups or folders

You can map sessions directly to users in the directory. You can also map sessions to either logical groups or folders. The choice of whether to use groups or folders should reflect the way the data in your directory is organized. In Management and Security Server, the term "folder" is used to describe both organizational units and containers. Most directories have an organizational structure that uses logical groups, for example, groupOfNames and groupOfUniqueNames.

Authentication of end users

LDAP attribute for identifier

The default LDAP attribute to use as an identifier is available when you select an LDAP server type.

Table 3-1 Default LDAP identifiers

Server type	Default user identifier
OpenLDAP Directory Server	cn
Generic LDAP Compliant Directory Server (RFC 2256)	cn
RACF Directory Server	racfid
Oracle LDAP Directory Server	uid
IBM Tivoli Directory Server	cn
Windows Active Directory	List of domains**
NetIQ eDirectory	cn
Windows Active Directory with LDAP login form	cn

**When you select Active Directory as your LDAP server and the Kerberos security option, you must enter a list of Kerberos realms (e.g., domain@example.com). If you are using Active Directory with plain text, enter a list of NT domains (e.g., MYCOMPANY, SALES).

When an end user requests the list of sessions, the login page prompts for a username and password and displays available domains or realms in a drop-down list. If you have more than one domain or realm, separate the entries with commas (for example, 1stDomain, 2ndDomain, 3rdDomain).

Advanced settings

Maximum nested level for groups

This number determines how mapped sessions are inherited. If Group A contains Group B of which User 1 is a member, and you map a session to Group A, User 1 will also have access to that mapped session. If users do not inherit sessions as you expect, increase this number. Do not raise this level more than necessary because too high a number can impair performance if you have a large number of users. The default is 5.