|
|
|
|
|
|
|
|
iPrism v5.0 enables support for Auto-Login, profile mapping, privilege mapping and secure communications when using Novell eDirectory as the LDAP server and Novell login clients on user machines (see requirements below). This is available for both Transparent-Mode and/or Proxy-Mode users. In brief, this enhancement provides:
When using Novell eDirectory as the LDAP server and Novell login clients on user machines (see requirements below), iPrism v5.0 enables support for group-to-profile mapping, group-to-privileges mapping, iPrism Auto-Login and profile assignment, and the option of secure communications. This applies to Transparent-Mode and Proxy-Mode.
When using another LDAP directory as the LDAP server, iPrism v5.0 enables support for group-to-profile mapping, group-to-privileges mapping, and iPrism manual login and profile assignment. Secure communications is supported for eDirectory only. This applies to Transparent-Mode and Proxy-Mode.
These enhancements provide the following benefits:
Group-to-profile mapping similar to the current Windows capability, providing better visibility of LDAP mapping information for easier implementation and troubleshooting. This feature allows assignment of one or more LDAP groups to specific Web and IM/P2P profiles. Note that the addition of IM/P2P profiling (by username) is reflected in the iPrism Reports Manager (detail reports), and the Real-Time Monitor. Usernames are displayed according to the "Mask" value specified on the LDAP tab. Spaces in group names are now supported. Since group-to-profile assignments are processed in a top-down order, with "first match" determining the user profile, Administrators can make "ordered list" adjustments to control profile assignments for users belonging to multiple groups.
Group-to-privileges mapping is logically identical to Group-to-profile mapping above, providing better visibility of LDAP mapping information, and allowing assignment of one or more LDAP groups to specific iPrism privileges (as opposed to profiles).
iPrism Auto-Login and profile assignment, i.e., no need for users to manually login to iPrism. You can only enable LDAP Auto-Login in tandem with group-to-profile mapping. However, enabling LDAP Auto-Login is not required. If it is your preference, you may use group-to-profile mapping with manual user logins. LDAP Auto-Login works by querying Novell eDirectory on the networkAddress attribute. This allows iPrism to transparently cache "IP-address to username" information in support of iPrism profile assignment, without prompting users to login. Note: Terminal server users (for example, Citrix) cannot use Auto-Login. They must login manually so each user can be identified for reporting purposes since they share the same machine. This requirement is the same as when using Windows authentication. In general, If Auto-Login is not successful for some reason, iPrism will prompt the user for credentials.
Secure LDAP server connectivity using TLS (Transport Layer Security) or SSL (Secure Sockets Layer), or you may opt-out by selecting "none" as your encryption type. Note: TLS encryption between the LDAP server and clients cannot take place unless clients are allowed to "anonymously bind" to the LDAP server. SSL can be used even if "anonymous binds" are disallowed on the LDAP server. For details on what to check in Novell iManager on NetWare, see:
Requirements:
Novell eDirectory 8.7.3 (approx. 4 years old) and 8.8 (approx. 1 year old), on Novell NetWare.
LDAP Auto-Login is supported for Windows/Linux users running a Novell "NMAS capable" login client, meaning a Novell login client version 4.90 and higher. NMAS means "Novell Modular Authentication Service."
iPrism GUI changes include:
The Windows Profile tab becomes a "dual-use" tab called Profile Mappings. It is used for group-to-profile mapping for either LDAP or Windows, depending on which authentication type has been enabled by the administrator via LDAP/Windows tabs.
Fallback Profile has been moved from the LDAP tab to the Profile Mappings tab in the form of "Web Fallback" and "IM/P2P Fallback" reflecting the addition of IM/P2P filtering. The chosen fallback profiles apply to the set of group-to-profile mappings, and are used only if a normal mapping assignment fails for one or more users. Note: the "Use Network" fallback requires assignment of profiles to networks to be made on the Networks tab.
The LDAP tab provides updated NDS preset values via the Presets button.
When upgrading an iPrism with a pre-existing LDAP configuration, the pre-existing configuration is left in place. On the LDAP tab, checking "Use Legacy Profile Resolution" disables the Profile Mappings tab. This allows an administrator to continue using their current LDAP configuration as is. The Fallback Profile value is retained, and will be visible on the Profile Mappings tab as "Web Fallback".
On the LDAP tab, "Encryption Type" supports secure connectivity, if desired.
The Windows Privilege tab becomes a "dual-use" tab called Privilege Mappings. It is used for group-to-privilege mapping for either LDAP or Windows, depending on which authentication type has been enabled by the administrator via LDAP/Windows tabs.
Operational requirements for implementing LDAP Auto-Login include:
Integrate iPrism with Novell eDirectory
Perform Profile Mapping
Enable Auto-Login
Testing and Troubleshooting
|
Important: Backing up your iPrism configuration is a recommended "best practice" prior to configuration changes. Please note your current LDAP tab settings, and backup your iPrism configuration, see: |
Before proceeding, note the following:
If you have an existing LDAP configuration, and you wish to use it as is without taking advantage of the new Profile mapping and Auto-Login features, check "Use Legacy Profile Resolution".
The primary and backup LDAP servers are reachable despite physical proximity to iPrism, i.e., they are reachable over the internal or the external interface.
Launch Appliance Manager → right-click iPrism → System Configuration → Users → LDAP
Note: In the process of getting familiar with the new tabs, if you see the messages below in the Profile Mappings tab or popup window, they simply mean you have not enabled an authentication method yet on the LDAP or Windows tabs (1st message below), or that you are attempting to configure LDAP mapping but checked "Use Legacy Profile Resolution" before switching to the Profile Mappings tab (2nd message below), or that you are trying to enable LDAP and Windows authentication simultaneously, which is not allowed (3rd message below). You must choose one or the other from the LDAP/Windows tabs. Resolve these issues to activate and use the Profile Mappings tab.
To begin, check Enable LDAP Authentication, then click Presets, select the NDS option (shown), and Apply. This pre-loads the screen (shown below) with placeholder and default values that you can modify.
LDAP integration requires knowledge of, or access to, your LDAP schema. You may need to contact an LDAP or network administrator to gather needed information. Refer to the table below for required fields.
Field |
Comments |
Type |
|
Server |
Replace the <LDAPServer> placeholder with the IP address of your Novell eDirectory Server. |
Required |
|
Port |
389 is the default port for LDAP, only change it if necessary. |
Required |
|
Backup Server |
Enter a Backup Server IP address if applicable. The backup server will only be used if the primary LDAP server is down or unresponsive to iPrism, i.e. there is no load-sharing. |
Optional |
|
Backup Server Port |
Likely to also be port 389. If Backup Server specified, this port entry is required. |
Optional |
|
Search DN |
Allows you to specify the DN (Distinguished Name) of a user account with privileges to perform searches of the directory. This allows searching (queries) without granting anonymous connection and search privileges. The user entry provided must have sufficient rights within eDirectory to read required user attributes. The Search DN field will typically look something like this: CN=AdminReadAccount,O=Company ... where "AdminReadAccount" is an LDAP account with query rights, and "Company" is the name of your Organization (O) that holds the user database, and without a space after the comma. |
Required |
|
Search Password |
The password of the "Search DN" account specified above. |
Required |
|
Base |
Indicates the starting point in your eDirectory tree where iPrism searches for the "Search DN" account, user accounts, and attribute values as defined by "Attribute" and "SubQuery Attribute" (see below). Therefore, the base value must be high enough within the eDirectory Tree to be able to locate all desired user entries and information. Typically this should be set to the Organizational (O) level, as in: O=Company This allows iPrism to search for user accounts in multiple OUs. Base can also be left empty for servers that accept an empty base, like eDirectory, in which case iPrism will default to the root of the LDAP server. For example, using a null Base, and clicking Select in the Profile Mapping tab may produce a longer list of groups than when Base has a specific Organization value specified (assuming "Attribute" is set for finding groups) |
Required |
|
Use UID |
Checking this sets Mask to UID=%1, which commonly identifies unique users in the LDAP tree, as explained below. |
Optional |
|
Mask |
The Mask format must be used for manual LDAP authenticated logins, and is used to uniquely identify user entries (DN's) in the LDAP tree using one or more attributes. It also determines the format of the username shown in reports and RTM. For example, if UID is used in the LDAP schema to uniquely identify users, the mask uid=%1 can be used. This setting is known to work with Novell eDirectory, InterGate, OpenLDAP and Exchange LDAP servers. This setting implies user logins with a single value, like first initial last name, i.e., jsmith for 'Joe Smith." A more fully qualified mask like uid=%1#ou=%2 implies user logins with multiple values, i.e., jsmith#sales. %1 or %2 simply indicate the position a user would enter the information in the username field of an authentication prompt. Note: Auto-Login does not use the mask for authentication, instead IP address is used to search the LDAP server for the corresponding user who is logged on to that IP address. To be in sync with reporting and manual authentication, Auto-Login will return usernames with the administrator defined mask format. |
Required |
|
Require Attribute |
Checking this means that all users must resolve their profile assignment via an LDAP attribute. The Web and IM/P2P Fallback drop-downs on the Profile Mapping tab will be disabled since you are now relying strictly on LDAP for profile assignment. |
Optional |
|
Attribute |
For eDirectory, defaults to "groupmembership" via presets. This well-known attribute is commonly used for display of group information when using the Select button in Profile Mapping, and group identification of users. In other words, "Attribute" is used to enable the use of attribute values provided on the user entry. Providing an attribute name will cause iPrism to read the values within the attribute supplied and associate the value to an iPrism profile or profile mapping. Failed association will result in use of the Fallback Profiles unless Require Attribute is checked. |
Required |
|
SubQuery |
For eDirectory, defaults to "cn" via presets. Effectively, parses the simple group name from the longer group information string (or strings) returned by "groupmembership." You may omit a SubQuery Attribute if you wish to map using full DN's (see below). This may also quicken populating the "Select" button window in a large environment. In summary, "Attribute" (groupmembership) may be populated with an attribute on the user entry that contains LDAP DN values and the SubQuery field can then be used to determine the attribute on the referenced DN that contains values that will match an iPrism profile or profile mapping. When using Novells eDirectory, this may be used to reference group entries by populating the Attribute with groupmembership and the SubQuery field with CN. iPrism would then search each value of the user entrys GroupMembership attribute and expect to find a value of the Groups CN to values that will match an iPrism profile or profile mapping. |
Optional |
|
Use Legacy Profile Resolution |
Use Legacy Profile Resolution, when un-checked, enables LDAP group-to-profile mapping via the Profile Mappings tab. When checked, it disables access to the Profile Mappings tab, implying you wish to use an existing LDAP configuration as is. |
Optional |
|
Encryption Type |
A drop-down with values of none (default), SSL, and TLS. SSL (Secure Sockets Layer) and TLS (Transport Layer Security) enable encrypted traffic between iPrism and eDirectory for improved security. When selecting SSL, change the port to 636. |
Required |
|
|
Click to test LDAP server
connectivity. Note that Test does not check the entire LDAP tab configuration,
but specifically checks the validity of Server,
Port, Search
DN, and Search
Password. Success returns the notice below. If you then purposely
make Server & Port fail with incorrect IP & port, Test will then
check Backup Server & Backup Server Port. If the backup check
is successful, you will get the success notice below, indicating you have
good backup
information. If there is an error, your backup information is bad, see
Testing and Troubleshooting
|
Recommended |
Note: You cannot perform LDAP profile mapping if Use Legacy Profile Resolution is checked.
Go to Users → Profile Mappings tab
Confirm it's LDAP mapping by looking for "LDAP Attribute to Profile map" (highlighted below)
Click Add (highlighted below)
The specified "Attribute" and "Subquery Attribute" from the LDAP tab are carried over and displayed for clarity (groupmembership-cn in this case, highlighted below). The groupmembership attribute is a commonly used Novell eDirectory attribute resolving to group information. The cn (common name) subquery attribute returns the simple group name instead of longer strings, for ease-of-use (see screen shots). Using a subquery attribute is not mandatory, but may simplify displayed mapping information.
Click Select to list information for the designated attributes. A progress bar will indicate that Select is querying LDAP to populate the window. In a large environment, this may take some time. If this appears to take an inordinately long time, you might drop the SubQuery Attribute and map profiles with fully qualified DNs, or you might enter known groups manually by common name or DN. The Select window can be re-sized. Click Apply (in the LDAP Attributes list popup shown below) to populate the field (groupmembership-cn in this example).
Note that you are not required to populate the field with Select/Apply, you can manually enter a value (case-sensitive, so make sure your entry will match. If you enter "engineering" but the LDAP group is "Engineering", you'll end up using the Fallback Profile) that you know exists, or that you know will exist later. However, Select/Apply makes group selection easy and intuitive.
|
|
With cn subquery attribute (above) Without cn subquery attribute (below)
|
Assign the desired Web, IM/P2P profiles. View lets you examine these profiles if needed.
Select Fallback profiles that will be a best fit for the entire set of group-to-profile LDAP mappings. For example, the Fallback profiles for Web and IM/P2P could be set to a profile name (BlockOffensive and BlockIMP2P shown above), or Use Network so that users failing to receive a profile assignment still get profiled with the assigned Fallback. Use Network means that users will be profiled by IP address (hence the related profile) as specified from Access → Networks tab, a good safety-net.
Fallback profiles will be used when:
There is no match found between a specific users attribute value and an iPrism Web Access Profile (most common scenario).
The "Require Attribute" is unchecked and there is no "Attribute" or "Sub-Query Attribute" specified. In this case, everyone would get the Fallback profiling since Attribute and SubQuery cannot resolve to a mapped profile (unusual scenario, but possible).
Fallback profiles will not be used when:
The "Require Attribute" field is checked. This is because you have chosen to deny Internet access to users who fail to map via the users LDAP attribute value, hence there is no need to use the Fallback Profile assignments, users will simply be denied Internet access.
OK (above) adds the mapping (shown below).
To modify an existing mapping, simply select it, choose profile assignments using the pick-lists, and click OK. The new Web Access or IM/P2P Access profile value will be displayed in the mapping.
Delete removes any selected mapping (Bogus is selected below). Check verifies that the group exists on the LDAP server, particularly useful if you manually enter an attribute value, create the value later on LDAP, and need to validate a new iPrism mapping later. Below, the manually entered "Bogus" group (i.e., did not use Select button) does not exist, as reflected in the Notice.
|
|
|
Note: You cannot enable Auto-Login until you perform LDAP profile mapping above.
Once your LDAP Profile Mappings are completed, you may optionally enable Auto-Login for the appropriate networks by performing the following steps:
Go to Access → Networks and Select a Network
For your networks, select HTTPS or HTTP and check Auto-Login.
Selecting Auto-Login will enable the timeout options, which can be important for user session management and control. Re-authentication should be transparent to users.
You may find it useful to exercise or test LDAP authentication and Auto-Login using the Real-Time Monitor, see:
Using RTM as a Diagnostic Tool
Note: Sessions may be terminated using the manual iPrism logout. This may be helpful when testing. The url "http://iprism-name-or-ip/logout" will display an iPrism logout page for explicitly terminating an iPrism session.
LDAP diagnostics includes new options, see:
Checking User's LDAP Authentication Credentials
If you have connectivity problems with an LDAP server accessed via the external interface, you may need to enable external communication on your iPrism from Access → Networks (External checkbox, per network)
Below is a table
of 
message examples (subject to change). These occur when
data in specific LDAP tab fields is incorrect or missing. Note:
Currently, you can only test the Backup Server and Port connectivity by
purposely setting the Server/Port fields incorrectly ("Test"
check is serialized). If you get "success" the backup settings
are good, if you get the 2nd example below, your backup settings are incorrect.
|
"Server"
or "Port" |
|
|
"Backup Server"
or "Backup Server Port" |
|
|
"Search DN" |
|
|
"Search Password"
|
|
|
"Search Password" |
|
