LDAP Authentication

Overview

Avi Vantage supports user authentication using Lightweight Directory Access Protocol (LDAP). LDAP is a commonly used protocol for accessing a directory service. A directory service is a hierarchical object-oriented database view of an authentication system.

LDAP settings can be configured in an Auth Profile.

To create an LDAP profile,

  1. Navigate to Templates > Security > Auth Profile.
  2. Click Create.
  3. Enter the Name for the profile and select LDAP as Type.
  4. Configure the LDAP settings.
  5. Configure the HTTP Authentication settings.
  6. Click Save to complete the auth profile creation.

Configuring LDAP Settings

  1. Under LDAP Servers click Add and enter the LDAP server IP. Note: For Controller authentication, multiple LDAP servers are supported only if they belong to the same cluster. Else, the Controller tries to authenticate with the first reachable server.
  2. Add more servers if required.
  3. Optionally,under LDAP Connection Security Mode, select LDAPS. LDAP over SSL (LDAPS) is the recommended option.
  4. Select the service Port to be used when communicating with the LDAP servers. For example, 389 for LDAP or 636 for LDAPS.
  5. Enter the LDAP Directory Base Distinguished Name, Base DN. This is used as the default for settings where DN is required but was not populated like User or Group Search DN.
  6. Under Settings select the LDAP bind settings. For detailed explanation, see LDAP Bind Settings. LDAP
  7. Configure Administrator Bind or Anonymous Bind, as required.

Configuring HTTP Authentication

HTTP Authentication is useful in cases when LDAP authentication profile is configured for Basic Authentication in a virtual service.

  1. Under HTTP Authentication, in Client User ID Header Name, enter the HTTP header to be inserted into the client request before it is sent to the destination server. This field is used to name the header. The value will be the client’s User ID. This same UserID value will also be used to populate the User ID field in the Virtual Service’s logs.
  2. Click Add under Required User Group Membership. Enter the DN of the group which the user must be a member in. For example,’cn=testgroup,ou=groups,dc=LDAP,dc=example,dc=com’
  3. In Auth Credential Cache Expiration, enter the maximum amount of time allowed (in seconds) for a client’s authentication to be cached. LDAP

LDAP Auth Profile settings can be verified after the profile is created by using the test page.

More configuration examples are presented here.

LDAP Bind Settings

LDAP bind settings are used to configure parameters to authenticate clients, create an authorization identity that will be used for any further operation on that connection.

NSX Advanced Load Balancer supports Administrator Bind and Anonymous Bind

  • The administrator bind is the recommended option since the administrator account given will be used to search for users and user group memberships across the LDAP server.

  • The anonymous bind option only checks whether bind is successful or failure with the password entered during login. Anonymous bind can only be used to authenticate the user and cannot be used to authorize the user.

Administrator Bind

Administrator bind requires admin DN and password. The account used should have access to search the directory tree for both users and user groups.

NSX Advanced Load Balancer uses the configuration to search for users or groups. An LDAP search requires:

  • Top-level directory hierarchy (search DN) to start the search
  • Scope value to limit the search to one of the following: base (one-level deep) or entire sub-tree
  • Filter to match only on entries of a given class or category

User search enables searching for users who log into NSX Advanced Load Balancer. This field limits the search to a more specific directory tree. The user ID attribute is the attribute in a user record that identifies the user, and is expected to match the username entered during user login. Administrator account should have privilege to search for users under the User Search DN entered.

Group search enables searching for a user’s group membership. The group search DN and scope limit the search to a more specific directory tree. For efficiency, try to avoid searching under directory trees where a match to the user group is not expected. A search can find different types of objects under the search DN, so the group filter is used to pick up group objects only. Vantage appends a user-specific group membership filter to the configured group filter in order to check a specific user’s group membership.

For example, a configured group filter (objectClass=group) is extended by NSX Advanced Load Balancer to a full filter when user “bob” logs in, to something such as the following: (&(objectClass=group)(member=bob))

For more details on LDAP search filters: https://tools.ietf.org/search/rfc4515

Configuring Administrator Bind

  1. In the Create Auth Profile screen under Settings select Administrator Bind.
  2. Enter the LDAP admin user DN as the Admin Bind DN.
  3. Enter the LDAP admin user password.
  4. Click Ignore Referrals if the user is not expected to have groups in the referral links. Enaling this option can improve the speed of group searches.
  5. Enter the User Search DN. The LDAP user search DN is the root of search for a given user in the LDAP directory. Only user records present in this LDAP directory sub-tree are allowed for authentication. Base DN value is used if this value is not configured.
  6. Select the User Search Scope to define the levels of search for the user starting from the user search DN. The available options are:
    • Scope Base
    • Scope One Level
    • Scope Subtree
  7. Enter the User ID Attribute. This is the login attribute that uniquely identifies a single user record. The value of this attribute should match the username used at the login prompt. LDAP
  8. Enter the LDAP Group Search DN, which is the root of search for a given group in the LDAP directory. Only matching groups present in this LDAP directory sub-tree will be checked for user membership. Base DN value is used if this value is not configured.
  9. Select the Group Search Scope to define the levels of search for the user starting from the user search DN. The available options are:
    • Scope Base
    • Scope One Level
    • Scope Subtree
  10. Enter the Group Filter that is used to identify the groups during search.
  11. Enter the Group Member Attribute. This indicates that group member entries have full DNs instead of just user ID attributes.
  12. If the LDAP group stores the full user DN as member instead of just the username, select Enable Full DN For Group Member Attribute. LDAP

Anonymous Bind

Anonymous bind supports only authentication of users. Authentication profiles that use anonymous bind cannot be used for role or tenant mapping.

Configuring Anonymous Bind

To configure anonymous bind,

  1. In the Create Auth Profile screen under Settings select Anonymous Bind.
  2. Enter the LDAP admin user DN as the Admin Bind DN.
  3. Enter the LDAP admin user password.
  4. Click Ignore Referrals if the user is not expected to have groups in the referral links. Enaling this option can improve the speed of group searches.
  5. Enter the User DN Pattern which is used to bind the LDAP user after replacing the user token with a username.
  6. Enter the User Token which will be replaced by the real username
  7. Enter the User ID Attribute. This is the login attribute that uniquely identifies a single user record. The value of this attribute should match the username used at the login prompt. LDAP