How To
Summary
Summary: This article describes how to setup an LDAP Server with SPP to allow user single sign-on access.
• Lightweight Directory Access Protocol (LDAP) is a protocol for accessing a directory, which contains objects related to users, passwords, security groups and computer objects.
• LDAP provides the ability to query against contained object.
(users, passwords, security groups, and computer objects)
• LDAP allows application to authenticate with a central repository to provide users with single sign-on, access.
Supported LDAP Server for SPP configuration:
• SPP supports Windows Domain controllers with LDAP configuration.
• A Windows Domain controller is a promoted windows server running Active Directory Domain Services. (ADDS)
• Active Directory is a database-based system, developed by Microsoft, that provides authentication, security policies and authorizes users and computers in a Windows domain type network.
• Active Directory uses the LDAP protocol.
Objective
Step 1: Register LDAP Server to the IBM Spectrum Protect Plus Server.
- From the navigation menu, expand System Configuration, then click LDAP / SMTP.
- From the LDAP table, click Add LDAP Server. The LDAP Settings pane displays. Complete all fields with the appropriate LDAP filters.
- Host Address
The IP address or resolvable logical node name of the LDAP server.
- Port
The port on which the LDAP server is listening. The typical default port is 389 for non SSL connections or 636 for SSL connections.
- Use SSL
Enable to establish a secure connection to the LDAP server.
Must Upload the LDAP SSL Certificate in the 8090 Admin Console.
- Credentials
LDAP username that can successfully authenticate with the LDAP Server.
Example: Jsmith@CXW.com
- Base DN
This is the base domain name associated with the LDAP filter.
Example if your domain name is cxw.com the Base DN will be:
dc=cxw,dc=com
- User Filter
A filter to select only those users under the Base DN that match certain
criteria.
Spectrum Protect Plus supports the following 3 user filters.
Filter Type |
Entry |
Example |
Canonical Name |
cn={0} |
John Smith |
SamaccountName |
sAMAccountName={0} |
jsmith |
Email address |
mail={0} |
jsmith@cxw.com |
- User RDN
This is the filter for where in AD the user accounts exist that you want to allow to log in to Spectrum Protect Plus.
Example, in Active Directory, if I want to allow user’s that exist under a folder path,
Data Protection\SPP, the filter will be:
OU=SPP,OU=Data Protection - Group RDN
This is the filter for where the Security Groups exist. Spectrum Protect Plus only supports import of security groups, not the user accounts.
cn=USA,OU=GROUP
- Select save to register the LDAP Server.
- When the LDAP server is successfully registered it will appear as below under System Configuration->LDAP/SMTP
Example Configuration:
Host Address |
71.100.24.1 |
Port |
389 |
Bind Name |
|
Base BN |
DC=CXW,DC=COM |
User Filter |
sAMAccountName={0} |
User RDN |
OU=SPP,OU=Data Protection |
Group RDN |
OU=USA,OU=GROUP |
Step 3: Import the LDAP Security Group into Spectrum Protect Plus.
Once you have successfully added the LDAP server to Spectrum Protect Plus you will need to import the LDAP security group you want to give access to Spectrum Protect Plus.
- From the navigation menu, expand, Accounts, click User and select Add User.
- Select the drop-down arrow for, Type of user or group you want to add, and select LDAP Group.
- Select the drop-down arrow for, Select LDAP Group, and select the LDAP Security group you want to add to Spectrum Protect Plus.
The User RDN and Group RDN field work together. User’s that are assigned to the Security Group imported into Spectrum Protect Plus from the Group RDN location and exist within the User RDN location will only be allowed to authenticate with Spectrum Protect Plus via LDAP.
LDAP registration with Secure Sockets Layer (SSL) authentication.
Spectrum Protect Plus supports authenticate with the LDAP Servers via SSL. You must export the LDAP SSL Certificate from the LDAP Server and then import the LDAP Certificate into Spectrum Protect Plus.
- SSL Certificates are used to keep sensitive information sent across the internet encrypted so that only the intended recipient can access it.
- SSL Certificates provide authentication, so you can be sure that you are sending information to the right server and not an imposter trying to steal your information.
Step 1: Export the LDAP Certificate from the Windows Domain controller
- Log in to the Domain controller.
Open, Windows Search menu type, certificates, and select - Expand Certificates->Personal->Certificates
- Export the Certificate that has, Client Authentication, for Intended Purposes.
- Right click on the Certificate->All Tasks->Export. The Certificate Export Wizard will open. Select Next->No, do not export the private key->Next-> You will select the format, DER encoded binary X.509 (.CER)->Next->Choose a name to save the file and save it to the Desktop.
Microsoft Reference Article: https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx?Redirected=true
Step 2: Import the LDAP Certificate into the Spectrum Protect Plus Server
- Log in to the SPP UI Portal
On the upper right, select the, user ID drop down menu and select, Manage TLS Certificates. - Choose SSL certificate type, LDAP, and select Browse and navigate to where you saved your certificate and select it. Then select Upload.
- Once the Certificate is uploaded you must restart the Spectrum Protect Plus Application for this certificate to take effect. In the Admin console, https://#.#.#.#:8090, select, System Management.
Select restart IBM Spectrum Protect Plus
Was this topic helpful?
Document Information
Modified date:
27 April 2022
UID
ibm10791677