Configure LDAP in USM Appliance

Applies to Product: USM Appliance™ LevelBlue OSSIM®

This topic shows you how to configure USM Appliance to allow user authentication using LDAP, such as Microsoft Active Directory (AD). To create a user for LDAP authentication, see Create New Accounts for LDAP Users.

LDAP (Lightweight Directory Access Protocol) authentication can make user management simpler in larger environments by centralizing user accounts and passwords. For example, LDAP streamlines setting access to various systems and networks based on a user's role. Configuring USM Appliance to use LDAP authenticates users using their standard corporate domain credentials.

Important: LDAP logon names cannot have spaces in the name. Because USM Appliance usernames do not allow for spaces, a space in an LDAP username will not work in USM Appliance.

Creating an LDAP Service Account

To enable USM Appliance to query LDAP for authorization, you must first create a service account in LDAP. For example, in Microsoft Active Directory, you configure an LDAP account as you would a user account.

To create an Active Directory service account

  1. Type the name of the person whose account you are setting up, and assign them a username for login.

  2. Set a logon password, and select Password never expires or the option that best fits your company's or organization's policy.

    Important: USM Appliance uses this account to access LDAP each time a user logs in. If the password expires and is not updated in USM Appliance, users will not be able to log in.

Microsoft Active Directory dialog boxes for account creation.

Configuring USM Appliance to Request Authentication through LDAP

Follow these instructions to configure USM Appliance to request user credential authentication from LDAP, rather than using data stored locally in USM Appliance.

To configure USM Appliance to request LDAP user authentication

  1. Log into the USM Appliance web interface and go to Configuration > Administration > Main.
  2. Click the Login Methods/Options section to expand it, and type the required values shown in the Login Methods/Options Values table.

  3. Click Update Configuration to save changes.

    Page to request LDAP authentication in USM.

    Login Methods/Options Values
    Parameter Input Value
    Remote login key Required when using remote loggers. Otherwise you can leave it empty. See Configure the USM Appliance Logger after Deployment for details.
    Enable LDAP for login Yes
    LDAP server address LDAP server IP address. For example: 127.0.0.1
    LDAP server port

    389 (unencrypted) or 636 (SSL encrypted)
    LDAP server SSL

    Yes (Use LDAP server with SSL) or No

    LDAP server TLS

    Yes (Use LDAP server with TLS) or No
    LDAP server baseDN

    LDAP server distinguished name (DN) in the format of

    dc=<domain>,dc=<domain suffix>

    For instance, if the DN is "example.com", you should enter dc=example,dc=com.
    LDAP server filter for LDAP users

    General LDAP: (&(cn=%u)(objectClass=account))

    Active Directory: (&(sAMAccountName=%u)(objectCategory=person))

    Note: To restrict LDAP access to specific users, use the UserAccountControl flags. For example, the entry below allows access to a normal user account:

    (&(sAMAccountName=%u)(objectCategory=person)(userAccountControl=512))

    See Microsoft documentation for additional options.

    LDAP Username

    User Principal Name (UPN) of the user account in LDAP:

    loginname@domain.suffix

    LDAP password for Username Password for the account referenced in LDAP Username.
    Require a valid OSSIM user for login

    Yes — Controls user authorization by requiring creation of a user account in the USM Appliance with the same username as in LDAP.

    No — A local account is not required for initial login. When using this option, the system will automatically create a LDAP enabled local user account using the specified entity assignment and menu template.

    Local usernames are used to determine user permissions, for example, assigning menu templates and entities. An admin sets a password for the local account during its creation. After LDAP is set up, the local password is no longer used for authentication.

    If you choose No, you must select a default entity from the Entity for new LDAP user list and a default menu template from the Menus for new LDAP user list. You then assign these to users who are authenticated by LDAP.
    Entity for new LDAP user The default entity assigned to new LDAP users when an OSSIM user is not required.
    Menus for new LDAP user The default menu template assigned to new LDAP users when an OSSIM user is not required.