Security / LDAP Server Configuration
LDAP Server Configuration
If you use an LDAP server for authentication, when users log in to SANnav, they are authenticated using the user name and password list on the LDAP server.
You can use the LDAP server for authentication only or for both authentication and authorization.
If you are using LDAP for authentication, the user accounts must be created on the LDAP servers.
If you are also using LDAP for authorization, it is recommended that you use LDAP groups for authorization. Creating LDAP groups allows you to assign the roles and areas of responsibility (AORs) to groups of users instead of individual users.
Note: This guide assumes that the LDAP servers are already configured with the list of user accounts. If you are using LDAP groups for authorization, this guide assumes that the LDAP server is already configured with groups, and that users are assigned to the groups.
Note: You must add the LDAP server host entry to the Docker container host file to authenticate LDAP server users. For instructions, refer to Adding LDAP Servers to the Docker Container.
The following table outlines the steps you must perform on SANnav and on the external LDAP servers for various scenarios.
Table 11. Tasks Required for Setting Up Authentication and Authorization on an External LDAP Server
Scenario
Tasks performed in SANnav
Tasks performed on the LDAP Servers
Primary authentication = LDAP Server
Secondary authentication = None
Authorization = Local database
1. Configure SANnav to use an external LDAP server.
2. Create roles and AORs.
3. Create user accounts.
4. Assign roles and AORs to users.
User accounts must already be created on the LDAP servers. No additional tasks are needed.
Primary authentication = LDAP Server
Secondary authentication = None
Authorization = External server
1. Configure SANnav to use an external LDAP server.
2. Create roles and AORs.
User accounts must already be created on the LDAP servers. You must perform the following additional tasks:
1. Create role and AOR custom attributes in the LDAP Active Directory.
2. Assign roles and AORs to users.
Primary authentication = LDAP Server
Secondary authentication = None
Authorization = LDAP groups
1. Configure SANnav to use an external LDAP server.
2. Create roles and AORs.
3. Upload LDAP groups into local database for authorization.
4. Assign roles and AORs to LDAP groups.
User accounts and groups must already be created on the LDAP servers, and the users must be assigned to groups. No additional tasks are needed.
Primary authentication = LDAP Server
Secondary authentication = Local database
Authorization = Local database
1. Configure SANnav to use an external LDAP server.
2. Create roles and AORs.
3. Create user accounts.
4. Assign roles and AORs to users.
User accounts must already be created on the LDAP servers. No additional tasks are needed.
Primary authentication = LDAP Server
Secondary authentication = Local database
Authorization = External server
1. Configure SANnav to use an external LDAP server.
2. Create roles and AORs.
3. Create user accounts.
4. Assign roles and AORs to users, in case primary authentication fails.
User accounts must already be created on the LDAP servers. You must perform the following additional tasks:
1. Create role and AOR custom attributes in the LDAP Active Directory.
2. Assign roles and AORs to users.
Primary authentication = LDAP Server
Secondary authentication = Local database
Authorization = LDAP groups
1. Configure SANnav to use an external LDAP server.
2. Create roles and AORs.
3. Create user accounts, in case primary authentication fails.
4. Upload LDAP groups into local database for authorization.
5. Assign roles and AORs to LDAP groups.
6. Assign roles and AORs to users, in case primary authentication fails.
User accounts and groups must already be created on the LDAP servers, and the users must be assigned to groups. No additional tasks are needed.