Using Active Directory and LDAPScienceLogic Version 8.5.0

Table of Contents

Overview 1Introduction 1What is LDAP? 1What is Active Directory? 1LDAP and Active Directory Terminology 1How Can I use LDAP or Active Directory with the ScienceLogic Platform? 3How Can I View My Company's Active Directory or LDAP? 4

Importing User Accounts from Active Directory or LDAP 5Overview 5Required 5Creating a User Policy for Imported Users 7Defining a Credential for Importing Users from Active Directory or LDAP 11Creating an LDAP/AD Authentication Resource 13Creating an Authentication Profile 21

Using Active Directory or LDAP for Authentication Only 25Overview 25Required Tasks 25Creating a User Account that Will Be Authenticated with Active Directory or LDAP 27Manually Creating a User Account and Manually Defining Account Settings 27Manually Creating a User Account and Using a User Policy to Define Account Settings 29

Defining a Credential for Authenticating with Active Directory or LDAP 31Creating an LDAP/AD Authentication Resource 34Creating an Authentication Profile 38

Example of Importing User Accounts Using Active Directory 42Overview 42Required Tasks 42Example Entry in Active Directory 44Creating a User Policy 44Creating a Credential for Active Directory 46Creating an LDAP/AD Authentication Resource 48Creating an Authentication Profile 52User Login to the ScienceLogic Platform 55

Example of Only Authenticating User Accounts Using LDAP 57Overview 57Required Tasks 57Example Entry in LDAP 59Creating a User Account that Will Be Authenticated with Active Directory or LDAP 59Defining a Credential for Authentication with LDAP 61Creating an LDAP/AD Authentication Resource 64Creating an Authentication Profile 66User Login to the ScienceLogic Platform 70

Overview

Chapter

1Overview

Introduction

This manual is intended for administrators who create and manage user accounts. This manual assumes that youare familiar with LDAP and/or Active Directory. If you are not familiar with LDAP or Active Directory, you will needto work with your LDAP or Active Directory administrator to perform the tasks in this manual.

What is LDAP?

LDAP (Lightweight Directory Access Protocol) is an application protocol for directory services that runs over TCP/IP.An LDAP directory server provides system administrators with a centralized tool for authenticating users andmanaging user access on a network and the devices in the network.

What is Active Directory?

Active Directory is Microsoft's implementation of LDAP. Although Active Directory includes some platform-specificfeatures that differ from a standard LDAP implementation, the terminology used in the ScienceLogic platform isalso used by LDAP and Active Directory.

LDAP and Active Directory Terminology

A directory (either LDAP or Active Directory) is organized in a tree structure. To understand how directories workwith the ScienceLogic platform, you should understand the following terms:

l Entry. A directory tree is made up of entries. Each entry can have a parent entry and multiple child entries. Anentry is made up of attributes.

1

1

2

l Object Class. All LDAP and AD entries in the directory have a type. That is, each entry belongs to one ormore object classes that identify the type of data represented by the entry. The object class specifies themandatory and optional attributes that can be associated with an entry of that class. The object classes for allobjects in the directory form a class hierarchy. The classes "top" and "alias" are at the root of the hierarchy. Forexample, the "organizationalPerson" object class is a subclass of the "Person" object class, which in turn is asubclass of "top". When creating a new entry, you must always specify all of the object classes to which thenew entry belongs.

l Attribute. Each entry in the directory is made up of attributes. Each attribute is made up of an attribute nameand one or more attribute values. For example, for the attribute "SN", the name of the attribute is "SN", shortfor surname. The value could be "Jones". The combination of SN and its value make up an attribute.

l Domain. Usually the root of a directory tree. Each directory system includes at least one domain. The domainincludes the directory server and its clients. Most directories use DNS names as domain names. For example,a directory could use the domain "acme.com".

l DC. A domain is made up of DC (domain components). If a directory uses the domain "acme.com", thedirectory will have two DCs: "dc=acme, dc=com".

l DN. Each entry is assigned a DN (distinguished name). The DN is a unique identifier for the entry. The DNincludes an RDN (relative distinguished name) constructed from some attribute(s) in the entry, followed by theparent entry's DN. Think of the DN as a full filename and the RDN as a relative filename in a folder. An entry'sDN might change over the lifetime of the entry. For example, an entry's DN might change when parent andchild entries are moved within the directory tree.

l RDN. The RDN (relative distinguished name) is a unique identifier for the entry. For a user, the RDN isfrequently the user's full name. An RDN is made up of one or more attributes.

l OU. An OU (organizational unit) allows you to create a hierarchical structure to your directory tree. Somecommon OUs are "ou=people" or "ou=devices". An OU is referenced with its full path, for example"ou=Users, ou=ScienceLogicHQ, DC=ScienceLogic, DC=local".

l Search Base. A search base specifies the location in the directory from which to begin a search. Search baseis specified with a DN.

l Bind. In directory applications, a bind operation authenticates and allows access to the server where thedirectory resides.

l uid. Attribute for user ID. This attribute can be used in the ScienceLogic platform.

l CN. Attribute for common name. This attribute is usually assigned a value that contains the user's first nameand last name.

Overview

Overview

LDAP and Active Directory are binary protocols. However, you can use LDIF (LDAP data interface format) to viewdirectory data. In LDIF, a directory entry for a user might look like this:

dn: cn=John Doe,dc=company,dc=comcn: John DoegivenName: Johnsn: Doeuid: jdoetelephoneNumber: +1 888 555 6789telephoneNumber: +1 888 555 1234mail: jdoe@company.comstreet: 123 Commonwealth Avenuel: Bostonst: MassachusettspostalCode: 02134manager: cn=Sally Smith,dc=company,dc=comobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: top

l dn is the unique identifier for the entry. The combination of CN plus the root domain uniquely identifies thisentry. Note that a dn is an identifier and not an attribute.

o "cn=John Doe" is the entry's RDN (Relative Distinguished Name). The value of the CN attributeuniquely identifies this entry within its groups and domain.

o "dc=company,dc=com" is the DN of the parent entry, where dc denotes Domain Component. Sothe parent entry for John Doe is the domain "company" within the domain "com".

l The remaining lines display the attributes for this entry. Attribute names are usually mnemonic strings, like"sn" for surname, "givenname" for first name, and "st" for state.

How Can I use LDAP or Active Directory with the ScienceLogicPlatform?

Administrators can use LDAP or Active Directory to authenticate users. There are two ways to use LDAP or ActiveDirectory authentication with the ScienceLogic platform:

1. You can configure the ScienceLogic platform to automatically create user accounts in the platform for allexisting LDAP or Active Directory users and then always use LDAP or Active Directory to authenticate thoseusers when they log in to the ScienceLogic platform.

l Each user logs in to the ScienceLogic platform, either through the login page, a CAC card orcertificate, or HTTP. The user logs in to the ScienceLogic platform using an LDAP or AD attribute valueas a login name and the LDAP or AD password.

l The ScienceLogic platform examines the login request and applies the appropriate AuthenticationProfile (and the appropriate Authentication Resource).

3

1

4

l the ScienceLogic platform then authenticates the user by communicating with the LDAP or ActiveDirectory server.

l the ScienceLogic platform then creates a ScienceLogic account for the user, using both the mappingsdefined in the Authentication Resource and a ScienceLogic user policy.

l the ScienceLogic platform displays the default page in the platform.

2. You can use LDAP or Active Directory to authenticate one or more users when they log in to the ScienceLogicplatform. You can also specify that the ScienceLogic platform won't authenticate other LDAP or ActiveDirectory users.

l Each user logs in to the ScienceLogic platform, either through the login page, a CAC card orcertificate, or HTTP. The user logs in to the ScienceLogic platform using an LDAP or AD attribute valueas a login name and the LDAP or AD password.

l the ScienceLogic platform examines the login request and applies the appropriate AuthenticationProfile (and the appropriate Authentication Resource(s)).

l the ScienceLogic platform then authenticates the user by communicating with the LDAP or ActiveDirectory server.

How Can I View My Company's Active Directory or LDAP?

Some of the steps in this manual require you to be familiar with the structure of your company's Active Directoryimplementation or LDAP implementation.

To view your company's Active Directory structure, talk to your Active Directory administrator, and try using a toollike ldp.exe.

l To download ldp.exe, go to http://technet.microsoft.com/en-us/library/cc772839(WS.10).aspx and followthe instructions.

l For information on using ldp.exe, see http://support.microsoft.com/kb/224543.

To view your company's LDAP structure, talk to your LDAP administrator, and try using a tool like phpLDAPAdmin.

l To download phpLDAPAdmin, go to http://phpldapadmin.sourceforge.net/wiki/index.php/Download.

l For information on using phpLDAPAdmin, see http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page.

Overview

Importing User Accounts from Active Directory or LDAP

Chapter

2Importing User Accounts from Active Directory

or LDAP

Overview

If you have created Active Directory or LDAP accounts for users and do not want to manually create accounts againin the ScienceLogic platform, you can configure the platform to automatically create accounts for Active Directoryusers or LDAP users.

Each Active Directory or LDAP user logs in to the ScienceLogic platform using his or her Active Directory or LDAPusername and password, and the platform automatically creates an account for that user. Each subsequent timethat user logs in to the platform, the platform will use Active Directory or LDAP to authenticate that user.

Required

To configure the ScienceLogic platform to automatically create accounts for existing LDAP or AD users, you mustperform the following steps:

1. Create one or more user policies that define account properties and privilege keys in the ScienceLogicplatform for imported LDAP users or AD users.

l When creating the user policy, you must select LDAP/Active Directory in the Authentication Methodfield.

l You can create more than one user policy for imported user accounts.

o For example, suppose you want to import 100 user accounts. But suppose not all these usersrequire access to the same parts of the ScienceLogic platform. You could define multiple userpolicies, each defining a unique sets of ticket queue-memberships, organization membership, andAccess Keys.

5

2

6

o For example, you could define a user policy for imported user accounts from the Sales department,another user policy for imported user accounts from the Support department, and yet another userpolicy for imported user accounts from the NOC department.

l Later, in the LDAP/AD Auth Resource Editor page (System > Settings > Authentication> Resources > create/edit LDAP/AD Resource), you specify the user policy to apply to imported useraccounts.

o If you have created only one user policy for all imported accounts, you select the option for Staticpolicy alignment and then select the single user policy.

o If you have created multiple user policies for imported user accounts, you select the option forDynamic policy alignment and then assign a user policy to each type of imported user, based onan LDAP or AD attribute. For example, "department".

2. Create an LDAP or AD credential that allows the ScienceLogic platform to read from (and optionally, writeto) the LDAP or AD directory.

3. Define the LDAP/AD Authentication Resource.

l Specify how the ScienceLogic platform should communicate with the LDAP or Active Directory serverand exchange information with the LDAP or Active Directory server.

l Specify how the ScienceLogic platform should map LDAP or AD attribute values to fields in theAccount Properties page.

l Specify whether the ScienceLogic platform should remain synced with the LDAP/AD server. If an LDAPor AD administrator makes changes to an account, the ScienceLogic platform can automaticallyretrieve those updates and apply them to the user's account in the ScienceLogic platform (in theAccount Propertiess page) the next time the user logs in to the ScienceLogic platform.

l In the Type field, specify one of the following:

o Static policy alignment. All user accounts imported from LDAP or AD will use a single user policy.

o Dynamic policy alignment. User accounts imported from LDAP or AD will usemultiple userpolicies.

l If you selected Static policy alignment in the Type field, then you must select a policy in the Policy field.All users who use the Authentication Resource will use this policy.

l If you selected Dynamic policy alignment in the Type field, then you must supply values in theAttribute, Value, and Policy fields.

o In the Attribute field, specify the LDAP or AD ) attribute you want to use to differentiate importeduser accounts. For example, you could select the attribute "department" and then assign differentuser policies to import user accounts from different departments.

o In the Value field, specify one of the possible values for the LDAP or AD attribute (specified in theAttribute field).

o In the corresponding Policy field, specify the policy you want to associate with that value. Selectfrom a list of all user policies.

Importing User Accounts from Active Directory or LDAP

Importing User Accounts from Active Directory or LDAP

o Click the plus-sign icon ( ) to add additional values and policies, as needed.

o For example, suppose you specified department in the Attribute field. Suppose that the departmentattribute could have two possible values: Sales orNOC.

o Suppose you created two user policies. One user policy, called Sales User Policy, includes theappropriate ticket queues and access keys for Sales personnel. Another user policy, calledNOCUser Policy, includes the appropriate ticket queues and access keys for NOC personnel.

o In one of the Value fields, you could specify Sales. In the corresponding Policy field, you could thenspecify Sales User Policy.

o You could then click on the plus-sign icon ( ) and add another Value field and another Policyfield.

o In the next Value field, you could specifyNOC. In the corresponding Policy field, you could specifyNOCUser Policy.

o After defining these two Value fields and corresponding Policy fields, user accounts from the Salesdepartment would be imported into the ScienceLogic platform using the Sales User Policy.

o User accounts from the NOC department would be imported into the ScienceLogic platform usingthe NOCUser Policy.

4. Define one or more Authentication Profiles that tell the ScienceLogic platform how to recognizeLDAP/AD users and which Authentication Resource to use with those users.

5. After completing these steps:

l Each LDAP/AD user must log in to the ScienceLogic platform using the LDAP or AD user name and theLDAP or AD password.

l The ScienceLogic platform will examine the hostname or IP address in the incoming URL request toalign the user with an Authentication Profile.

l The Authentication Profile tells the ScienceLogic platform which Authentication Resources to use toauthenticate the user.

l The ScienceLogic platform will use the settings and the credentials defined in the LDAP/ADAuthentication Resource to query the LDAP or AD directory to authenticate each user.

l Optionally, the ScienceLogic platform will use the mappings and the user policy specified in theLDAP/AD Authentication Resource to create each user account. The user name will match the SearchField in the LDAP/AD Authentication Resource.

Creating a User Policy for Imported Users

User Policies allow you to define a custom set of account properties and privileges (from the Account Permissionspage) and then save them as a policy.

A user policy allows you to define:

l Login State

l Authentication Method

7

2

8

l Ticket Queue Memberships

l Primary Organization and other Organization Memberships

l Theme

l Time Zone

l Access Keys

When you configure the ScienceLogic platform to automatically create user accounts for Active Directory users orLDAP users, you must define one or more user policies for those imported accounts. Because you will not becreating the accounts manually and then manually defining the account properties, the platform uses the userpolicy to define the properties for the user account.

You can create more than one user policy for imported user accounts.

For example, suppose you want to import 100 user accounts from Active Directory. But suppose not all these usersrequire access to the same parts of the platform. You could define multiple user policies, each defining a uniqueset of ticket queue memberships, organization membership, and Access Keys.

For example, you could define a user policy for imported user accounts from the Sales department, another userpolicy for imported user accounts from the Support department, and yet another user policy for imported useraccounts from the NOC department.

Later, in the LDAP/AD Auth Resource Editor page (System > Settings > Authentication > Resources >create/edit LDAP/AD Resource), you specify the user policy to apply to imported user accounts. When doing this,you could tell the ScienceLogic platform to examine the value of the attribute "department" to determine thedepartment associated with each user account. You could then tell the platform to assign the sales policy to usersfrom the sales department, the support policy to users from the support department, and so on.

To create a user policy that will configure imported user accounts:

1. Go to the User Policies page (Registry > Accounts > User Policies).

Importing User Accounts from Active Directory or LDAP

Importing User Accounts from Active Directory or LDAP

2. In the User Policies page, click the [Create] button. The User Policy Properties Editor page appears.

3. In the User Policy Properties Editor page, supply a value in each field:

l Policy Name. Name of the user policy. Can be any combination of alphanumeric characters, up to64 characters in length.

l Login State. Specifies whether user accounts created with the policy can log in to the platform.Choices are:

o Active. Means user accounts created with this policy are active and can log in to the platform.

o Suspended. Means that user accounts created with this policy are not active and cannot log in tothe platform.

NOTE: The Login Statemust be set to Active before you can successfully import users from Active Directory orLDAP.

l Account Type. This drop-down list contains an entry for each standard account type. These accounttypes affect the list of Access Keys for the user. The choices are:

o Administrator. By default, administrators are granted all permissions available in the platform.Administrators can access all tabs and pages and perform all actions and tasks.

9

2

10

o User. Accounts of type "user" are assigned Access Keys. Access Keys are customizable by theadministrator, and grant users access to pages and tabs and permit users to view information andperform tasks in the platform. These Access Keys are defined by the system administrator from theAccess Keys page (System >Manage > Access Keys).

l Password Strength, Password Expiration, Password Shadowing, Require Password Reset.These fields aren't used for LADAP/AD Authentication, so you can skip these fields.

l Authentication Method. Select LDAP/Active Directory. The user's username and password will thenbe authenticated by the Active Directory server or the LDAP server.

l Restrict to IP. If selected, the user will be allowed to access the platform only from the specified IP.Specify the IP address in standard dotted-decimal notation.

l Event Console Default Display. Specifies how the Event Console page will appear by default.Choices are:

o Flat events table. Displays all events, grouped by severity. The filter-while-you-type fields and theadvanced filter tool apply to the entire list of events. You can apply a single filter to events inmultiple organizations.

o Group events table by organization. Events will be grouped by organization in the Event Consolepage. The filter-while-you-type fields and the advanced filter tool will appear for each organizationgrouping and will act only on the events in that organization grouping. You will not be able to applya single filter to events in multiple organizations.

l Ticket QueueMemberships. Highlight one or more ticket queues of which users will be members.

l Primary Organization. Specifies the primary organization. This will be the default organization foruser accounts created with this policy. You can select from a list of all organizations in the ScienceLogicplatform.

l Theme. Backgrounds, colors, fonts, and graphics that will appear when a user logs in. Themes aredefined in the ThemeManagement page (System > Customize > Themes). You can select from alist of all themes in the ScienceLogic platform.

l Time Zone. The time zone to associate with each user account created with this user policy. Datesand times in the platform will be displayed for the selected time zone.

l Additional Organization Memberships. User accounts created with this user policy will bemembers of each selected organization. This allows users to view and access elements from multipleorganizations. To select, highlight one or more organizations.

l Privilege Keys. The Privilege Keys pane displays a list of Access Keys that can be assigned to theuser's account. Access Keys define the tabs and pages users have access to and the actions that a usermay perform. These Access Keys are defined by the system administrator from the Access Keys page(System >Manage > Access Keys).

o To assign an Access Key to a user, select the checkbox. A check mark appears.

o To deny an Access Key to a user, do not select it.

o After clicking the [Save] button, all selected Access Keys will appear in red.

l Re-Apply All settings to All Policy Members. Because the Require Password Reset field is not usedby LDAP/Ad Authentication, you can skip this field.

Importing User Accounts from Active Directory or LDAP

Importing User Accounts from Active Directory or LDAP

4. Click the [Save] button to save your new user policy.

5. Repeat these steps to create additional user policies for user accounts that will be imported from ActiveDirectory or LDAP.

Defining a Credential for Importing Users from ActiveDirectory or LDAP

Credentials are access profiles (username and password plus additional information) for external systems. Theseprofiles allow the ScienceLogic platform to access external systems while maintaining the security of the accessaccounts. Users see only the name of the credential, not the username, password, and network informationcontained in the credential.

When you configure the platform to automatically create user accounts for Active Directory users or LDAP users,you must define one or more credentials so the platform can communicate with the Active Directory server or LDAPserver. The platform must communicate with the AD server or LDAP server, both to authenticate each user and toretrieve information about each user to include in each user's account.

To define a credential for accessing Active Directory or LDAP:

1. Go to the Credential Management page (System >Manage > Credentials).

2. In the Credential Management page, click the [Actions] drop-down menu. SelectCreate LDAP/ADCredential.

3. The Credential Editormodal page appears. In this page, you can define the new credential.

11

2

12

4. Supply a value in each of the following fields:

l Profile Name. Name of the credential. Can be any combination of alphanumeric characters.

l LDAP Type. Specifies the type of LDAP implementation running on the directory server. Choices areLDAP or Active Directory.

l Hostname/IP. Hostname or IP address of the LDAP or Active Directory server.

l Secure. Specifies whether you are using LDAP over SSL.

l Port. Port number on the LDAP or Active Directory server to which the ScienceLogic platform will sendrequests. If you specifiedNo in the Secure field, the default value is 389. If you specified Yes in theSecure field, the default value is 636. However, you can specify a custom port used by yourorganization.

l Timeout. Number of milliseconds during which the credential should continue to try to contact theLDAP or Active Directory server. After this time elapses, the credential will stop trying to contact theLDAP or Active Directory server.

l RDN (Bind DN / bind user). To configure the ScienceLogic platform to automatically createaccounts when a user logs in with an AD name and password or LDAP name and password, you mustinclude the %u variable in this field.

o If the LDAP or Active Directory structure does not contain all users in a single branch, in this field,you must specify a Bind DN that is allowed to search the LDAP or Active Directory for the userwho is logging in. You must also supply a password for this Bind DN in the Bind Password field.The platform will use the specified Bind DN and password to search the entire LDAP or ActiveDirectory structure for the user who is logging in. When the platform finds the user who is logging in,it will perform a bind using that user's Bind DN and the password supplied during login.

o If the LDAP or Active Directory structure contains all users in a single branch, you can use a variablefor username and then explicitly specify the appropriate ou and dc. In many LDAP or ADconfigurations, each user has read-access to his/her own account. Therefore, you might find it mostuseful to include the %u variable in this field. When an LDAP or AD user logs in to the ScienceLogicplatform, the platform stores the username in the %u variable. The platform then uses the %uvariable to build the bind DN, uses the bind DN to communicate with the LDAP or AD server, andthen authenticates the current user.

n An example entry in the RDN field might be: uid=%u, ou=People, dc=sciencelogic, dc=com

n This creates a DN using the current ScienceLogic login name as the uid.

n You can also include the %d variable in this field. The %d variable represents the name of the LDAPdomain, as specified in the LDAP Domain field.

l Bind Password. Password that allows access to the Active Directory server or the LDAP server. In most cases,when you specify a bind password in a credential, you are creating a "write" credential (that is, a credentialthat allows the platform to make changes to the LDAP or AD server). Most Active Directory andLDAP configurations do not require a password for "read-only" access. To import information from the ADserver or LDAP server and authenticate the imported user, the platform requires only "read-only" access.

l LDAP Domain. If your LDAP or Active Directory configuration includes multiple domains, specify the domaincomponents to bind to in this field. For example, you could specify:

dc=reston, dc=ScienceLogic, dc=local.

Importing User Accounts from Active Directory or LDAP

Importing User Accounts from Active Directory or LDAP

o This example would bind to the sub-domain "reston", in the domain "sciencelogic", in the domain"local".

l User Search Base. Specify the area in the AD directory or LDAP directory where users to be authenticatedand automatically added to the platform reside, using RDN notation. The search base tells the platform whichpart of the external directory tree to search. For example, if you want all users in the ou called "Users", in theparent ou called "ScienceLogicHQ", in the domain ScienceLogic.local to be automatically added to theplatform, you could specify the RDN that includes those ous and that specific domain.

ou=Users,ou=ScienceLogicHQ,dc=ScienceLogic, dc=local

o This example would allow the platform to authenticate users in the ou called "Users" in the parent ou"ScienceLogicHQ", and also authenticate all users in any ou underneath "Users".

NOTE: For details on search syntax for Active Directory, see http://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx. For details on the search syntax for LDAP, seehttp://www.faqs.org/rfcs/rfc2254.html.

l User Search Scope. In this field, you specify whether the ScienceLogic platform should search onlythe directory specified in User Search Base or whether EM7 should search the directory specified inUser Search Base and all its child branches.

o Subtree. The ScienceLogic platform should search the directory specified in the User Search Basefield and also search all its child branches.

o One Level.The ScienceLogic platform should search only the directory specified in the User SearchBase field.

5. Click the [Save] button to save your changes to the credential.

Creating an LDAP/AD Authentication Resource

An Authentication Resource is a configuration policy that describes how the ScienceLogic platform shouldcommunicate with a user store. In this manual, the user store is an LDAP or Active Directory user store. TheLDAP/AD Auth Resource Editor page allows you to define an Authentication Resource for use with an LDAP/ADuser store. An LDAP/AD Authentication Resource specifies the connector (communication software) to use tocommunicate with the LDAP/AD user store and the credential to use to connect to the user store. An LDAP/ADAuthentication Resource can also map attributes from the user's LDAP/AD account to fields in the user account onthe ScienceLogic platform.

In the LDAP/AD Auth Resource Editor page (System > Settings > Authentication > Resources > create/editLDAP/AD Resource), you can:

l Specify the credential that allows the platform to communicate with the Active Directory server or the LDAPserver.

l Specify the area in the Active Directory server or LDAP server that contains the users to be imported.

13

2

14

l Specify the user policy to use for each imported user account. You can use multiple user polices and mappolicies to user accounts (using AD attributes and LDAP attributes).

l Map the values from an Active Directory account or LDAP account to corresponding values in the newaccount.

l Specify whether the platform should automatically update each user's account in the platform when thecorresponding account is edited in Active Directory or LDAP.

l Specify whether the platform should automatically update each user's account in Active Directory or LDAPwhen the corresponding account is edited in the platform.

Additionally, Authentication Profiles are policies that align user accounts with one or more AuthenticationResource. Authentication Profiles are described later in this chapter.

To create an LDAP/AD Authentication Resource:

1. Go to the Authentication ResourceManager page (System > Settings > Authentication > Resources).

Importing User Accounts from Active Directory or LDAP

Importing User Accounts from Active Directory or LDAP

2. In the Authentication ResourceManager page, click the [Actions]menu and then selectCreateLDAP/AD Resource. The LDAP/AD Auth Resource Editor page appears.

3. Complete he following fields:

Basic Settings

l Name. Name of the LDAP/AD Authentication Resource.

l Read Credential. Credential that allows the ScienceLogic platform to read data from an LDAP orActive Directory server. Select from a list of all LDAP and Active Directory credentials to which you haveaccess. If this field has been set to a credential to which you do not have access, this field will displaythe value Restricted Credential. If you set this field to a different credential, the entry for RestrictedCredential will be removed from the field; you will not be able to re-align the field with the RestrictedCredential.

l Write Credential. Credential that allows the ScienceLogic platform to write data to an LDAP or ActiveDirectory server. Select from a list of all LDAP and Active Directory credentials to which you haveaccess. If this field has been set to a credential to which you do not have access, this field will displaythe value Restricted Credential. If you set this field to a different credential, the entry for RestrictedCredential will be removed from the field; you will not be able to re-align the field with the RestrictedCredential.

NOTE: Your organization membership(s) might affect the list of credentials you can see in the Read

15

2

16

l User Name Suffix. Optional field. Because the ScienceLogic platform can authenticate againstmultiple LDAP or Active Directory servers, there is a risk of collision among user names. In this field,you can enter a string to append to the user name in the ScienceLogic platform, to minimize risk ofcollision. For example:

o You can supply the value %attribute_name%, where attribute_name is an AD or LDAP attribute.The ScienceLogic platform will use the value of the attribute as the username.

o You can enter one or more AD or LDAP attribute names, surrounded by percent signs (%), with textpreceding it and/or text appended. The ScienceLogic platform will retrieve the value of the attributeand use that value plus any preceding text or appended text as the username.

o You can enter a string, with no AD or LDAP attribute specified. When you don't specify an AD orLDAP attribute in this field, the ScienceLogic platform will retrieve the uid attribute and append thestring you specify in this field. The ScienceLogic platform will then use the value in the the uid plusthe appended string as the username.

n Suppose we entered@ad.local in this field.

Suppose the next LDAP/AD user logs into the ScienceLogic platform with the usernamebishopbrennan.

The ScienceLogic platform will log in that user as bishopbrennan@ad.local.

n Suppose we entered%sn%-external in this field.

Suppose the next SSO user logs in to the ScienceLogic platform with their sn (last name) attribute ofkrilly.

The ScienceLogic platform will log in that user as krilly-external.

NOTE: A best practice is to use email addresses as usernames to avoid collisions.

l Search Filter. Specifies where to find the user's account information in LDAP or Active Directory. Youmust tell the ScienceLogic platform where to find the LDAP or AD attribute that maps to the user'saccount name in the ScienceLogic platform.

For example, an LDAP user might use his/her uid value to log in to the ScienceLogic platform. In theuser account in the ScienceLogic platform, that uid value will then become the user's Account LoginName.

You can use the following variables in the search filter:

o %u. Login name in the ScienceLogic platform.

o %e. Email address.

Importing User Accounts from Active Directory or LDAP

Importing User Accounts from Active Directory or LDAP

o An example search filter for LDAP might be:

(&(objectClass=person)(uid=%u))

This says to search in the object class called "person" for the uid that matches the login name enteredwhen the user logs in to the ScienceLogic platform and then stored in the variable %u.

o An example search filter for Active Directory might be:

(samaccountname=%u)

This says to search for the samaccountname attribute that matches the login name (entered whenthe user logs in to the ScienceLogic platform and then store in the variable %u).

o For more information on the syntax of LDAP and AD search filters, see RFC 4515.

l Sync directory values to EM7 on login. If an LDAP or AD administrator makes changes to an LDAPor AD account, the ScienceLogic platform will automatically retrieve those updates and apply them tothe user's account in the ScienceLogic platform (in the Account Properties page) the next time theuser logs in to the ScienceLogic platform.

l Sync EM7 values to directory on save. If an administrator made changes to the user account in theScienceLogic platform, the ScienceLogic platform will automatically write those changes to the user'saccount in LDAP or Active Directory. This option requires a write credential.

Attribute Mapping

If you have configured the ScienceLogic platform to automatically create accounts in theScienceLogic platform for LDAP or AD users, these fields specify the LDAP or AD attribute value thatwill be automatically inserted into each field in each user's Account Properties page.

The ScienceLogic platform automatically populates as many of these fields as possible. You can editor delete the default values provided by the ScienceLogic platform.

For example, the ScienceLogic platform automatically inserts the value of the LDAP/AD attribute "sn"(surname) into the Last Name field in each user's Account Properties page (Registry > Devices >Device Manager.

NOTE: the ScienceLogic platform requires that the LDAP or AD attribute name that you specify in each fielduses all lowercase characters.

l First Name. Specifies the LDAP or AD attribute value that will be automatically inserted into the FirstName field in each user's Account Properties page. By default, the ScienceLogic platform inserts thevalue of the LDAP/AD attribute "givenname" into this field.

l Last Name. Specifies the LDAP or AD attribute value that will be automatically inserted into the LastName field in each user's Account Properties page. By default, the ScienceLogic platform inserts thevalue of the LDAP/AD attribute "sn" into this field.

17

2

18

l Title. Specifies the LDAP or AD attribute value that will be automatically inserted into the Title field ineach user's Account Properties page.

l Department. Specifies the LDAP or AD attribute value that will be automatically inserted into theDepartment field in each user's Account Properties page.

l Phone. Specifies the LDAP or AD attribute value that will be automatically inserted into the Phonefield in each user's Account Properties page. By default, the ScienceLogic platform inserts the valueof the LDAP/AD attribute "telephonenumber" into this field.

l Fax. Specifies the LDAP or AD attribute value that will be automatically inserted into the Fax field ineach user's Account Properties page.

l Mobile. Specifies the LDAP or AD attribute value that will be automatically inserted into theMobilefield in each user's Account Properties page. By default, the ScienceLogic platform inserts the valueof the LDAP/AD attribute "mobile" into this field.

l Pager. Specifies the LDAP or AD attribute value that will be automatically inserted into the Pager fieldin each user's Account Properties page.

l Primary Email. Specifies the LDAP or AD attribute value that will be automatically inserted into thePrimary Email field in each user's Account Properties page. By default, the ScienceLogic platforminserts the value of the LDAP/AD attribute "mail" into this field.

l Secondary Email. Specifies the LDAP or AD attribute value that will be automatically inserted into theSecondary Email field in each user's Account Properties page.

l Street Address. Specifies the LDAP or AD attribute value that will be automatically inserted into theStreet Address field in each user's Account Properties page. By default, the ScienceLogic platforminserts the value of the LDAP/AD attribute "streetaddress" into this field.

l Suite/Building. Specifies the LDAP or AD attribute value that will be automatically inserted into theSuite/Building field in each user's Account Properties page.

l City. Specifies the LDAP or AD attribute value that will be automatically inserted into the City field ineach user's Account Properties page. By default, the ScienceLogic platform inserts the value of theLDAP/AD attribute "l" into this field.

l State. Specifies the LDAP or AD attribute value that will be automatically inserted into the State field ineach user's Account Properties page. By default, the ScienceLogic platform inserts the value of theLDAP/AD attribute "st" into this field.

l Postal Code. Specifies the LDAP or AD attribute value that will be automatically inserted into thePostal Code field in each user's Account Properties page. By default, the ScienceLogic platforminserts the value of the LDAP/AD attribute "postalcode" into this field.

l Country. Specifies the LDAP or AD attribute value that will be automatically inserted into the Countryfield in each user's Account Properties page.

l Organization. Specifies the LDAP or AD attribute value that will be used to automatically define thePrimary Organization field in each user's Account Permissions page. You must also specify one ofthe following:

o directory attribute specifies organization ID. The attribute in theOrganization field specifies anorganization ID.

Importing User Accounts from Active Directory or LDAP

Importing User Accounts from Active Directory or LDAP

o directory attribute specifies organization name. The attribute in theOrganization field specifies anorganization name.

o directory attribute specifies organization CRM ID. The attribute in theOrganization field specifiesthe CRM ID of an organization.

NOTE: To use Attribute Mapping forOrganization, your LDAP/AD schema must include an attribute thatmaps toOrganization names in the ScienceLogic platform, Organization IDs in the ScienceLogicplatform, or Organization CRM IDs in the ScienceLogic platform.

NOTE: When you create a new LDAP/AD user, you must align a user policy with that user. If the aligned userpolicy specifies an organization for the user, the value from the user policy will overwrite the valuefrom Attribute Mapping.

User Policy Alignment

l Type. Specifies whether the ScienceLogic platform should automatically create accounts in theScienceLogic platform for each LDAP or Active Directory user in the search base (which is specified inthe credential), whether the ScienceLogic platform should simply use LDAP or Active Directory toauthenticate one or more users, or whether the ScienceLogic platform will refuse to authenticatespecific users. Choices are:

o Do not authenticate new users from directory. Only those users who have an account alreadycreated in the ScienceLogic platform can log in to the ScienceLogic platform. However, if one ormore users' Account Permissions page specifies LDAP /Active Directory in the AuthenticationMethod field, the ScienceLogic platform will authenticate those users with either LDAP or ActiveDirectory, using the settings and credentials specified in this page.

o Static policy alignment. If an LDAP or AD user logs in to the ScienceLogic platform using the LDAPor AD attribute specified in the Search Filter field, the ScienceLogic platform will automaticallycreate an account for that user. The ScienceLogic platform will use one user policy (specified inthe Policy field) to create all imported LDAP or AD user accounts. The ScienceLogic platform willalso use the settings and credentials specified in this page when creating the account.

o Dynamic policy alignment. If an LDAP or AD user logs in to the ScienceLogic platform using theLDAP or AD attribute specified in the Search Filter field, the ScienceLogic platform willautomatically create an account for that user. The ScienceLogic platform will choose from amongmultiple user policies to create imported LDAP or AD user accounts. For example, some importeduser accounts might use "user policy A"; other imported user accounts might use "user policy B".The ScienceLogic platform will also use the settings and credentials specified in this page whencreating the account.

19

2

20

NOTE: If you have dynamic policy alignment configured, each time a user logs in using an account that isaligned with a user policy that uses LDAP/AD authentication, the platform will perform the attributematch and reassign a user policy if the attribute has changed.

If you selected Static policy alignment in the Type field, you must supply a value in the Policy field:

l Policy. Specifies the user policy to use to automatically create an account in the ScienceLogic platformfor each LDAP or AD user. Select from a list of all user policies that specify LDAP /Active Directory inthe Authentication Method field.

If you selected Dynamic policy alignment in the Type field, you must supply values in the Attribute,Value, and Policy fields.

l In the Attribute field, specify the LDAP or AD attribute you want to use to differentiate imported useraccounts. For example, you could select the attribute "department" and then assign different userpolicies to import user accounts from different departments. You can also use this field to excludeLDAP or AD accounts for which you do not want to create an account in the ScienceLogicplatform.

l In the Value field, specify one of the possible LDAP or AD attribute values (specified in the Attributefield). the ScienceLogic platform will compare the value in this field to the retrieved value for theAttribute.

l In the corresponding Policy field, choose one of the following:

o Do Not Authenticate. If the retrieved value of the specified Attributematches the value in theValue field, the ScienceLogic platform will not authenticate the user. This setting applies to newusers for whom LDAP or Active Directory would have to create a new account in the ScienceLogicplatform and for users who already have an account in the ScienceLogic platform.

o the policy you want to associate with that value. Select from a list of all user policies that specifyLDAP /Active Directory in the Authentication Method field.

o For example, suppose you specified "department" in the Attribute field. Suppose that the"department" attribute could have two possible values: "Sales" or "NOC".

o Suppose you created two user policies. One user policy, called "Sales User Policy", includes theappropriate ticket queues and access keys for Sales personnel. Another user policy, called "NOCUser Policy", includes the appropriate ticket queues and access keys for NOC personnel.

o In one of the Value fields, you could specify "Sales". In the corresponding Policy field, you couldthen specify "Sales User Policy".

o In the next Value field, you could specify "NOC". In the corresponding Policy field, you couldspecify "NOC User Policy.

o After defining these two Value fields and corresponding Policy fields, user accounts from the Salesdepartment would be imported into the ScienceLogic platform using the Sales User Policy.

o User accounts from the NOC department would be imported into the ScienceLogic platform usingthe NOC User Policy.

Importing User Accounts from Active Directory or LDAP

Importing User Accounts from Active Directory or LDAP

o You could also specify status in the Attribute field. Suppose that the status attribute could have twopossible values: active or terminated.

o Whenever an LDAP or AD entry for a user included the status attribute with the value terminated,the ScienceLogic platform could apply the policyDo Not authenticate.

l To define additional Value and Policy fields, click the green plus-sign icon ( ).

NOTE: If a user matches multiple Value entries, the ScienceLogic platform will find the first match and thenstop searching. Therefore, it is important to define the Value/Policy field pairs in the order in whichyou want them applied to users.

4. Click the [Save] button to save your changes to the new Authentication Resource.

Creating an Authentication Profile

An Authentication Profile is a policy for user authentication. Authentication Profiles align user accounts with oneor more Authentication Resources.

l Alignment by pattern matching. The ScienceLogic platform uses the URL or IP address that a user enters ina browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL orIP address matches the criteria specified in an authentication profile, the ScienceLogic platform willautomatically use the matching profile to perform user authentication.

l Credential Source. Specifies from where the ScienceLogic platform should extract the user name andpassword or certificate to be authenticated. These credentials are passed to the ScienceLogic platform viaHTTP. The ScienceLogic platform then passes the credentials to each Authentication Resource specified inthe Authentication Profile. The Authentication Resources authenticate the credentials with user stores.

l Authentication Resource. Specifies the connector to use to communicate with the user store, the credentialto use to connect to the user store (if applicable), and the URLs to examine during authentication. Also mapsattributes from the user's account in the user store to fields in the the ScienceLogic platform user account.

21

2

22

The Authentication Profiles page allows you to create a new authentication profile. To do so:

1. Go to the Authentication Profiles page (System > Settings > Authentication > Profiles).

2. In the Authentication Profiles page, click the [Create] button.

Importing User Accounts from Active Directory or LDAP

Importing User Accounts from Active Directory or LDAP

3. The Authentication Profile Editormodal page appears. In this page, you can define the new authenticationprofile.

l Name. Name of the Authentication Profile.

l Priority Order. If your the ScienceLogic platform includes multiple Authentication Profiles, theScienceLogic platform evaluates the Authentication Profiles in priority order, ascending. theScienceLogic platform will apply the first Authentication Profile that matches the Hostname or IP in thecurrent URL AND has the lowest value in the Priority Order field.

l Pattern Type. Specifies how the ScienceLogic platform will evaluate the value in the AP HostnamePattern field. Choices are:

o Wildcard. The ScienceLogic platform will perform a text match, with wildcard characters (asterisks).

o Regex. The ScienceLogic platform will use regular expressions to compare the AP HostnamePattern to the current session information.

l AP Hostname Pattern. This field is used to match the URL or IP address that a user enters in abrowser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URLor IP address matches the value in this field, the ScienceLogic platform applies the AuthenticationProfile to the user for the current session.

o For example, if you specify "*" (asterisk), any IP address or URL will match. The ScienceLogicplatform will then apply this Authentication Profile to every session on an Administration Portal,Database Server, or All-In-One Appliance.

o If you enter "192.168.38.235", the ScienceLogic platform will apply the Authentication Profile toeach session on an Administration Portal, Database Server, or All-In-One Appliance where theuser enters "192.168.38.235" into the browser.

o If you enter “*.sciencelogic.local”, the ScienceLogic platform will apply the Authentication Profile toeach session on an Administration Portal, Database Server, or All-In-One Appliance where theuser enters a URL ending with ".sciencelogic.local" into the browser.

l Available Credential Sources. This field tells the ScienceLogic platform how to retrieve the user'scredentials from the HTTP request to the ScienceLogic platform. To align a credential source with theAuthentication Profile, highlight the credential source and click the right-arrow button. You can selectzero, one, or multiple credential sources for the Authentication Profile. Initially, this pane displays a listof all the credential sources:

o CAC/Client Cert. The ScienceLogic platform will retrieve a certificate from the HTTP request.

o EM7 Login Page. The ScienceLogic platform will retrieve a user name and password from the theScienceLogic platform login page fields.

o HTTP Auth. The ScienceLogic platform will retrieve a user name and password from the HTTPrequest.

l Aligned Credentials Sources. This field displays the list of credential sources that have been alignedwith the Authentication Profile. The Authentication Profile will examine each credential source in theorder in which it appears in this list. When the Authentication Profile finds the user's credential, theAuthentication Profile stops examining any remaining credential sources in the list.

23

2

24

l Available Authentication Resources.This field tells the ScienceLogic platform which AuthenticationResources to use to authenticate the retrieved credentials. To align an Authentication Resource withthe Authentication Profile, highlight the Authentication Resource and click the right-arrow button. Youmust select at least one Authentication Resource and can select more than one.

l Aligned Authentication Resources. This field displays the list of Authentication Resources that havebeen aligned with the Authentication Profile. The Authentication Profile will examine eachAuthentication Resource in the order in which it appears in this list. When an Authentication Resourcesuccessfully authenticates the user, the Authentication Profile stops executing any remainingAuthentication Resources in the list.

4. Click the [Save] button to save your changes to the new authentication profile.

Importing User Accounts from Active Directory or LDAP

Using Active Directory or LDAP for Authentication Only

Chapter

3Using Active Directory or LDAP for

Authentication Only

Overview

If you have already created accounts for users in the ScienceLogic platform, you can use Active Directory or LDAPto authenticate one or more of those users. Each time an Active Directory or LDAP user logs in to the ScienceLogicplatform using his/her Active Directory or LDAP username and password, the platform will use Active Directory orLDAP to authenticate that user.

Required Tasks

You can use LDAP or Active Directory to authenticate one or more users when they log in to the ScienceLogicplatform. You can also specify that the ScienceLogic platform should not authenticate other LDAP or ActiveDirectory users.

l Each user logs in to the ScienceLogic platform, either through the login page, a CAC card or certificate, orHTTP. The user logs in to the ScienceLogic platform using an LDAP or AD attribute value as a login nameand the LDAP or AD password.

l The ScienceLogic platform examines the login request and applies the appropriate Authentication Profile(and the appropriate Authentication Resource(s)).

l The ScienceLogic platform then authenticates the user by communicating with the LDAP or Active Directoryserver.

25

3

26

If you want to use LDAP or Active Directory to only authenticate users (that is, you do not want the platform to importuser accounts from Active Directory or LDAP), you must manually create accounts in the ScienceLogic platform andspecify LDAP or AD authentication. To do this:

1. Create a user account in the ScienceLogic platform. You can either create the account manually or youcan use a user policy to create the account.

l When creating the user policy, you must select LDAP/Active Directory in the Authentication Methodfield in the User Policy Properties Editor page ([[[Undefined variable Clickpaths.User PolicyProperties Editor]]]).

l When creating the user account, you must specify select LDAP/Active Directory in the AuthenticationMethod field in the Account Permissions page (Registry > Accounts > User Accounts > edit useraccount)

2. Create an Active Directory or LDAP credential that allows the platform to read from (and optionally, writeto) the AD or LDAP directory. This credential allows the platform to connect to Active Directory or LDAP andauthenticate user accounts.

3. Define the LDAP/AD Authentication Resource.

l Specify how the ScienceLogic platform should communicate with the LDAP or Active Directory serverand exchange information with the LDAP or Active Directory server.

l In the Type field, select the following:

o Do not import new users or sync user policies. The ScienceLogic platform will use LDAP or AD onlyto authenticate users and will not create a new user each time an LDAP or AD user attempts toconnect to the ScienceLogic platform.

4. Define one or more Authentication Profiles that tell the ScienceLogic platform how to recognizeLDAP/AD users and which Authentication Resource to use with those users.

5. After completing these steps:

l Each LDAP/AD user must log in to the ScienceLogic platform using the user name and password forthe ScienceLogic platform. This user name must be identical to the LDAP or AD user ID for the user;the password must be identical to the LDAP or AD password.

l The ScienceLogic platform will examine the hostname or IP address in the incoming URL request toalign the user with an Authentication Profile.

l The Authentication Profile tells the ScienceLogic platform which Authentication Resources to use toauthenticate the user.

l The ScienceLogic platform will use the settings and the credentials defined in the LDAP/ADAuthentication Resource to query the LDAP or AD directory to authenticate each user.

Using Active Directory or LDAP for Authentication Only

Using Active Directory or LDAP for Authentication Only

Creating a User Account that Will Be Authenticated withActive Directory or LDAP

User accounts allow users to log in to the ScienceLogic platform and access pages and features in the platform. Ifyou have already created a user account for a user in Active Directory or LDAP, you can create a separate useraccount for that user in the platform and then ask Active Directory or LDAP to authenticate the user account.

There are two ways to create a user account in the platform:

l Manually create a user account and define all account settings.

l Manually create a user account and then apply a user policy to define additional account settings. UserPolicies allow you to define a custom set of account properties and privileges and then save them as a policy.

Both options will be described in the following sections.

Manually Creat ing a User Account and Manually Defining AccountSet t ings

Tomanually create a new user account and manually define account settings:

1. Go to the User Accounts page (Registry > Accounts > User Accounts).

2. In the User Accounts page, click the [Create] button.

3. The Create New Account page appears.

27

3

28

4. In the Create New Account page, enter values in each of the following fields:

l First Name. User's first name. This value can be up to 24 characters in length.

l Last Name. User's last name. This value can be up to 24 characters in length.

l Generate a unique name based on first and last name. Do not select this option.

l Account Login Name. Enter a value that is included in the Active Directory entry or LDAP entryfor the user. For example, you could enter the uid value for the user from LDAP or AD. This value willthen be the login name for the user. To enable AD or LDAP to authenticate the user, the login namemust match a value in the AD or LDAP entry for the user.

l Primary Email. User's email address. This field can be up to 64-characters in length.

l Password. You can enter any password that meets the minimum security requirements. Thepasswordmust be at least four characters in length and can be up to 64 characters in length.

NOTE: During authentication, LDAP or AD will ignore the value in the Password field and instead use thepassword stored in LDAP or AD.

l Confirm Password. The user's password again. This value must be at least four characters in lengthand can be up to 64 characters in length. This password will be overwritten with the AD or LDAPpassword on first login.

l Password Strength. Required strength of the user's password. Must be set to Strong. The passwordwill not be able to be changed through the platform.

l Password Expiration. Set this field toDisabled. The password will not be able to be changed throughthe platform.

l Password Shadowing. Set this field toDefault. The password cannot be changed through theplatform.

l Require Password Reset. Do not select this option. The password cannot be changed through theplatform.

l Organization. The organization of which the new user account will be a member. Users can selectfrom among all organizations in the platform.

l Account Type. Specifies whether the user is a member of a user policy. Choices are:

o Individual. Select this option.User account is not a member of a user policy.

o Policy Membership. User will be defined with a user policy. When selected, the Policy Membershipfield becomes active.

Using Active Directory or LDAP for Authentication Only

Using Active Directory or LDAP for Authentication Only

l Account Type. This drop-down contains an entry for each standard account type. These account typesaffect the list of Access Keys for the user. The choices are:

o Administrator. By default, administrators are granted all permissions available in the platform.Administrators can access all tabs and pages and perform all actions and tasks.

o User. Accounts of type "user" are assigned Access Keys. Access Keys are customizable by theadministrator and grant users access to pages and tabs and permit users to view information andperform tasks in the platform. These Access Keys are defined by the system administrator from theAccess Keys page (System >Manage > Access Keys).

l Login State. Default login state for the user account. The choices are:

o Suspended. Account is not active. User cannot log in to the platform.

o Active. Account is active. User can log in to the platform.

l Authentication Method. Specifies how the user's username and password will be authenticated.Select the following:

o LDAP/Active Directory. Select this option. User's username and password are authenticated by anLDAP server or Active Directory server.

l Restrict to IP. The user will be allowed to access the platform only from the specified IP. Specify the IPaddress in standard dotted-decimal notation.

l Time Zone. Select the appropriate time zone to associate with the user account.

5. Click the [Save] button to save the new user.

Manually Creat ing a User Account and Using a User Policy to DefineAccount Set t ings

You can manually create a user account and then apply a user template to that user account.

If you want to use Active Directory or LDAP to authenticate the user when he/she logs in to the platform, you must:

l Define a user policy before creating the user account. With the exception of the Authentication Methodfield, there are no further requirements for LDAP or AD authentication. You can define the user policy as youwish. For details on creating a user policy, see the manualOrganizations and Users.

l Ensure that the user policy includes the following settings:

o Authentication Method. Specifies how the user's username and password will be authenticated.Select:

n LDAP/Active Directory. Select this option. The user's username and password will beauthenticated by an LDAP server or Active Directory server.

To manually create a user account and apply a user policy to that account:

1. Go to the User Accounts page (Registry > Accounts > User Accounts).

2. In the User Accounts page, click the [Create] button.

29

3

30

3. The Create New Account page appears.

4. In the Create New Account page, enter values in each of the following fields:

l First Name. User's first name. This value can be up to 24 characters in length.

l Last Name. User's last name. This value can be up to 24 characters in length.

l Generate a unique name based on first and last name. Do not select this option.

l Account Login Name. Enter a value that is included in the Active Directory entry or LDAP entryfor the user. For example, you could enter the uid value for the user from LDAP or AD. This value willthen be the login name for the user. To enable AD or LDAP to authenticate the user, the login namemust match a value in the AD or LDAP entry for the user.

l Primary Email. User's email address. This field can be up to 64 characters in length.

l Password. You can enter any password that meets the minimum security requirements. Thepasswordmust be at least four characters in length and can be up to 64 characters in length.

NOTE: During authentication, LDAP or AD will ignore the value in the Password field and instead use thepassword stored in LDAP or AD.

l Confirm Password. The user's password again. This value must be at least four characters in lengthand can be up to 64 characters in length. This password will be overwritten with the AD or LDAPpassword on first login.

l Password Strength. Required strength of the user's password. Must be set to Strong. The passwordwill not be able to be changed through the platform.

l Password Expiration. Set this field toDisabled. The password will not be able to be changed throughthe platform.

Using Active Directory or LDAP for Authentication Only

Using Active Directory or LDAP for Authentication Only

l Password Shadowing. Set this field toDefault. The password cannot be changed through theplatform.

l Require Password Reset. Do not select this option. The password cannot be changed through theplatform.

l Organization. The organization of which the new user account will be a member. Users can selectfrom among all organizations in the platform.

l Account Type. Specifies whether the user is a member of a user policy. Choices are:

o Individual. User account is not a member of a user policy.

o Policy Membership. Select this option. User will be defined with a user policy. When selected, thePolicy Membership field becomes active.

After you select Policy Membership, all remaining fields except Account Templates are disabled.This is because those fields are defined in the user policy.

l Policy Membership. If you selected Policy Membership in the Account Type field, the PolicyMembership field is activated. In this field, you can select a user policy to apply to the new useraccount.

NOTE: Ensure that you select a policy that specifies an Authentication Method of LDAP/Active Directory.

o When a user policy is applied to a user's account, the user inherits the Access Keys specified in theuser policy. Administrators cannot add additional Access Keys or delete Access Keys from the user'saccount unless they edit the user policy.

o When a user policy is edited, each user account that is a member of that template will bedynamically updated.

5. Click the [Save] button to save the new user.

Defining a Credential for Authenticating with Active Directoryor LDAP

Credentials are access profiles (username and password plus additional information) for external systems. Theseprofiles allow the ScienceLogic platform to access external systems while maintaining the security of the accessaccounts. Users see only the name of the credential, not the username, password, and network informationcontained in the credential.

When you define user accounts that are authenticated with Active Directory or LDAP, you must define one or morecredentials, so the platform can communicate with the Active Directory server or LDAP server. The platform mustcommunicate with the AD server or LDAP server to authenticate each specified user.

To define a credential for accessing Active Directory or LDAP:

31

3

32

1. Go to the Credential Management page (System >Manage > Credentials).

2. In the Credential Management page, click the [Actions] drop-down menu. SelectCreate LDAP/ADCredential.

3. The Credential Editormodal page appears. In this page, you can define the new credential.

4. Supply a value in each of the following fields:

l Profile Name. Name of the credential. Can be any combination of alphanumeric characters.

l LDAP Type. Specifies the type of LDAP implementation running on the directory server. Choices areLDAP or Active Directory.

l Hostname/IP. Hostname or IP address of the LDAP or Active Directory server.

l Secure. Specifies whether you are using LDAP over SSL.

l Port. Port number on the LDAP or Active Directory server to which the ScienceLogic platform will sendrequests. If you specifiedNo in the Secure field, the default value is 389. If you specified Yes in theSecure field, the default value is 636. However, you can specify a custom port used by yourorganization.

l Timeout. Number of milliseconds during which the credential should continue to try to contact theLDAP or Active Directory server. After this time elapses, the credential will stop trying to contact theLDAP or Active Directory server.

l RDN (Bind DN / bind user). To configure the ScienceLogic platform to automatically createaccounts when a user logs in with an AD name and password or LDAP name and password, you mustinclude the %u variable in this field.

o If the LDAP or Active Directory structure does not contain all users in a single branch, in this field,you must specify a Bind DN that is allowed to search the LDAP or Active Directory for the userwho is logging in. You must also supply a password for this Bind DN in the Bind Password field.The platform will use the specified Bind DN and password to search the entire LDAP or ActiveDirectory structure for the user who is logging in. When the platform finds the user who is logging in,it will perform a bind using that user's Bind DN and the password supplied during login.

Using Active Directory or LDAP for Authentication Only

Using Active Directory or LDAP for Authentication Only

o If the LDAP or Active Directory structure contains all users in a single branch, you can use a variablefor username and then explicitly specify the appropriate ou and dc. In many LDAP or ADconfigurations, each user has read-access to his/her own account. Therefore, you might find it mostuseful to include the %u variable in this field. When an LDAP or AD user logs in to the ScienceLogicplatform, the platform stores the username in the %u variable. The platform then uses the %uvariable to build the bind DN, uses the bind DN to communicate with the LDAP or AD server, andthen authenticates the current user.

n An example entry in the RDN field might be: uid=%u, ou=People, dc=sciencelogic, dc=com

n This creates a DN using the current ScienceLogic login name as the uid.

n You can also include the %d variable in this field. The %d variable represents the name of the LDAPdomain, as specified in the LDAP Domain field.

l Bind Password. Password that allows access to the Active Directory server or the LDAP server. In most cases,when you specify a bind password in a credential, you are creating a "write" credential (that is, a credentialthat allows the platform to make changes to the LDAP or AD server). Most Active Directory andLDAP configurations do not require a password for "read-only" access. To import information from the ADserver or LDAP server and authenticate the imported user, the platform requires only "read-only" access.

l LDAP Domain. If your LDAP or Active Directory configuration includes multiple domains, specify the domaincomponents to bind to in this field. For example, you could specify:

dc=reston, dc=ScienceLogic, dc=local.

o This example would bind to the sub-domain "reston", in the domain "sciencelogic", in the domain"local".

l User Search Base. Specify the area in the AD directory or LDAP directory where users to be authenticatedand automatically added to the platform reside, using RDN notation. The search base tells the platform whichpart of the external directory tree to search. For example, if you want all users in the ou called "Users", in theparent ou called "ScienceLogicHQ", in the domain ScienceLogic.local to be automatically added to theplatform, you could specify the RDN that includes those ous and that specific domain.

ou=Users,ou=ScienceLogicHQ,dc=ScienceLogic, dc=local

o This example would allow the platform to authenticate users in the ou called "Users" in the parent ou"ScienceLogicHQ", and also authenticate all users in any ou underneath "Users".

NOTE: For details on search syntax for Active Directory, see http://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx. For details on the search syntax for LDAP, seehttp://www.faqs.org/rfcs/rfc2254.html.

l User Search Scope. In this field, you specify whether the ScienceLogic platform should search onlythe directory specified in User Search Base or whether EM7 should search the directory specified inUser Search Base and all its child branches.

33

3

34

o Subtree. The ScienceLogic platform should search the directory specified in the User Search Basefield and also search all its child branches.

o One Level.The ScienceLogic platform should search only the directory specified in the User SearchBase field.

5. Click the [Save] button to save your changes to the credential.

Creating an LDAP/AD Authentication Resource

An Authentication Resource is a configuration policy that describes how the ScienceLogic platform shouldcommunicate with a user store. In this manual, the user store is an LDAP or Active Directory (AD) user store. TheLDAP/AD Auth Resource Editor page allows you to define an Authentication Resource for use with an LDAP/ADuser store. An LDAP/AD Authentication Resource specifies the connector (communication software) to use tocommunicate with the LDAP/AD user store and the credential to use to connect to the user store. An LDAP/ADAuthentication Resource can also map attributes from the user's LDAP/AD account to fields in the user account onthe ScienceLogic platform.

In the In the LDAP/AD Auth Resource Editor page (System > Settings > Authentication > Resources >create/edit LDAP/AD Resource), you can:

l Specify the credential that allows the platform to communicate with the AD server or the LDAP server.

l Specify the area in the AD server or LDAP server where the user's records reside.

l Specify whether the platform should automatically update each user's account in AD or LDAP when thecorresponding account is edited in the platform.

Additionally, Authentication Profiles are policies that align user accounts with one or more AuthenticationResource. Authentication Profiles are described later in this chapter.

Using Active Directory or LDAP for Authentication Only

Using Active Directory or LDAP for Authentication Only

To create an LDAP/AD Authentication Resource:

1. Go to the Authentication ResourceManager page (System > Settings > Authentication > Resources)

2. In the Authentication ResourceManager page, click the [Actions]menu and then selectCreateLDAP/AD Resource. The LDAP/AD Auth Resource Editor page appears.

3. Complete the following fields:

Basic Settings

l Name. Name of the LDAP/AD Authentication Resource.

35

3

36

l Read Credential. Credential that allows the ScienceLogic platform to read data from an LDAP or ADserver. Select from a list of all LDAP and AD credentials to which you have access. If this field has beenset to a credential to which you do not have access, this field will display the value RestrictedCredential. If you set this field to a different credential, the entry for Restricted Credential will beremoved from the field; you will not be able to re-align the field with the Restricted Credential.

l Write Credential. Credential that allows the ScienceLogic platform to write data to an LDAP or ADserver. Select from a list of all LDAP and AD credentials to which you have access. If this field has beenset to a credential to which you do not have access, this field will display the value RestrictedCredential. If you set this field to a different credential, the entry for Restricted Credential will beremoved from the field; you will not be able to re-align the field with the Restricted Credential.

NOTE: Your organization membership(s) might affect the list of credentials you can see in the ReadCredential field and theWrite Credential field.

l User Name Suffix. Optional field. Because the ScienceLogic platform can authenticate againstmultiple LDAP or AD servers, there is a risk of collision among usernames. In this field, you can enter astring to append to the username in the ScienceLogic platform, to minimize risk of collision. Forexample:

o You can supply the value %attribute_name%, where attribute_name is an AD or LDAP attribute.The ScienceLogic platform will use the value of the attribute as the username.

o You can enter one or more AD or LDAP attribute names, surrounded by percent signs (%), with textpreceding it and/or text appended. The ScienceLogic platform will retrieve the value of the attributeand use that value plus any preceding text or appended text as the username.

o You can enter a string, with no AD or LDAP attribute specified. When you don't specify an AD orLDAP attribute in this field, the ScienceLogic platform will retrieve the uid attribute and append thestring you specify in this field. The ScienceLogic platform will then use the value in the the uid plusthe appended string as the username.

n Suppose we entered@ad.local in this field.

Suppose the next LDAP/AD user logs into the ScienceLogic platform with the usernamebishopbrennan.

The ScienceLogic platform will log in that user as bishopbrennan@ad.local.

n Suppose we entered%sn%-external in this field.

Suppose the next SSO user logs in to the ScienceLogic platform with their sn (last name) attribute ofkrilly.

The ScienceLogic platform will log in that user as krilly-external.

NOTE: A best practice is to use email addresses as usernames to avoid collisions.

Using Active Directory or LDAP for Authentication Only

Using Active Directory or LDAP for Authentication Only

l Search Filter. Specifies where to find the user's account information in LDAP or AD. You must tell theScienceLogic platform where to find the LDAP or AD attribute that maps to the user's account name inthe ScienceLogic platform.

For example, an LDAP user might use his/her uid value to log in to the ScienceLogic platform. In theuser account in the ScienceLogic platform, that uid value will then become the user's Account LoginName.

You can use the following variables in the search filter:

o %u. Login name in the ScienceLogic platform.

o %e. Email address.

o An example search filter for LDAP might be:

(&(objectClass=person)(uid=%u))

This says to search in the object class called "person" for the uid that matches the login name enteredwhen the user logs in to the ScienceLogic platform and then stored in the variable %u.

o An example search filter for ADmight be:

(samaccountname=%u)

This says to search for the samaccountname attribute that matches the login name (entered whenthe user logs in to the ScienceLogic platform and then store in the variable %u).

o For more information on the syntax of LDAP and AD search filters, see RFC 4515.

l Sync directory values to EM7 on login. SelectDisable. This feature is used to automatically updateaccounts in the the ScienceLogic platform .

l Sync EM7 values to directory on save. If an administrator made changes to the user account in theScienceLogic platform, the ScienceLogic platform will automatically write those changes to the user'saccount in LDAP or AD. This option requires a write credential.

Attribute Mapping

Define these settings only if you have configured the ScienceLogic platform to automatically createaccounts in the ScienceLogic platform for LDAP or AD users.

37

3

38

User Policy Alignment

l Type. Specifies whether the ScienceLogic platform should automatically create accounts in theScienceLogic platform for each LDAP or AD user in the search base (which is specified in thecredential), whether the ScienceLogic platform should simply use LDAP or AD to authenticate one ormore users, or whether the ScienceLogic platform will refuse to authenticate specific users. If you areusing LDAP or AD to authenticate user but not automatically create new user accounts in theScienceLogic platform, your choices are:

o Do not authenticate new users from directory. Only those users who have an account alreadycreated in the ScienceLogic platform can log in to the ScienceLogic platform. However, if one ormore users' Account Permissions page specifies LDAP /Active Directory in the AuthenticationMethod field, the ScienceLogic platform will authenticate those users with either LDAP or AD,using the settings and credentials specified in this page.

4. Click the [Save] button to save your changes to the new Authentication Resource.

Creating an Authentication Profile

An Authentication Profile is a policy for user authentication. Authentication Profiles align user accounts with oneor more Authentication Resources.

l Alignment by pattern matching. The ScienceLogic platform uses the URL or IP address that a user enters ina browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL orIP address matches the criteria specified in an authentication profile, the ScienceLogic platform willautomatically use the matching profile to perform user authentication.

l Credential Source. Specifies from where the ScienceLogic platform should extract the user name andpassword or certificate to be authenticated. These credentials are passed to the ScienceLogic platform viaHTTP. The ScienceLogic platform then passes the credentials to each Authentication Resource specified inthe Authentication Profile. The Authentication Resources authenticate the credentials with user stores.

l Authentication Resource. Specifies the connector to use to communicate with the user store, the credentialto use to connect to the user store (if applicable), and the URLs to examine during authentication. Also mapsattributes from the user's account in the user store to fields in the the ScienceLogic platform user account.

Using Active Directory or LDAP for Authentication Only

Using Active Directory or LDAP for Authentication Only

The Authentication Profiles page allows you to create a new authentication profile. To do so:

1. Go to the Authentication Profiles page (System > Settings > Authentication > Profiles).

2. In the Authentication Profiles page, click the [Create] button.

39

3

40

3. The Authentication Profile Editormodal page appears. In this page, you can define the new authenticationprofile.

l Name. Name of the Authentication Profile.

l Priority Order. If your the ScienceLogic platform includes multiple Authentication Profiles, theScienceLogic platform evaluates the Authentication Profiles in priority order, ascending. theScienceLogic platform will apply the first Authentication Profile that matches the Hostname or IP in thecurrent URL AND has the lowest value in the Priority Order field.

l Pattern Type. Specifies how the ScienceLogic platform will evaluate the value in the AP HostnamePattern field. Choices are:

o Wildcard. The ScienceLogic platform will perform a text match, with wildcard characters (asterisks).

o Regex. The ScienceLogic platform will use regular expressions to compare the AP HostnamePattern to the current session information.

l AP Hostname Pattern. This field is used to match the URL or IP address that a user enters in abrowser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URLor IP address matches the value in this field, the ScienceLogic platform applies the AuthenticationProfile to the user for the current session.

o For example, if you specify "*" (asterisk), any IP address or URL will match. The ScienceLogicplatform will then apply this Authentication Profile to every session on an Administration Portal,Database Server, or All-In-One Appliance.

o If you enter "192.168.38.235", the ScienceLogic platform will apply the Authentication Profile toeach session on an Administration Portal, Database Server, or All-In-One Appliance where theuser enters "192.168.38.235" into the browser.

o If you enter “*.sciencelogic.local”, the ScienceLogic platform will apply the Authentication Profile toeach session on an Administration Portal, Database Server, or All-In-One Appliance where theuser enters a URL ending with ".sciencelogic.local" into the browser.

l Available Credential Sources. This field tells the ScienceLogic platform how to retrieve the user'scredentials from the HTTP request to the ScienceLogic platform. To align a credential source with theAuthentication Profile, highlight the credential source and click the right-arrow button. You can selectzero, one, or multiple credential sources for the Authentication Profile. Initially, this pane displays a listof all the credential sources:

o CAC/Client Cert. The ScienceLogic platform will retrieve a certificate from the HTTP request.

o EM7 Login Page. The ScienceLogic platform will retrieve a user name and password from the theScienceLogic platform login page fields.

o HTTP Auth. The ScienceLogic platform will retrieve a user name and password from the HTTPrequest.

l Aligned Credentials Sources. This field displays the list of credential sources that have been alignedwith the Authentication Profile. The Authentication Profile will examine each credential source in theorder in which it appears in this list. When the Authentication Profile finds the user's credential, theAuthentication Profile stops examining any remaining credential sources in the list.

Using Active Directory or LDAP for Authentication Only

Using Active Directory or LDAP for Authentication Only

l Available Authentication Resources.This field tells the ScienceLogic platform which AuthenticationResources to use to authenticate the retrieved credentials. To align an Authentication Resource withthe Authentication Profile, highlight the Authentication Resource and click the right-arrow button. Youmust select at least one Authentication Resource and can select more than one.

l Aligned Authentication Resources. This field displays the list of Authentication Resources that havebeen aligned with the Authentication Profile. The Authentication Profile will examine eachAuthentication Resource in the order in which it appears in this list. When an Authentication Resourcesuccessfully authenticates the user, the Authentication Profile stops executing any remainingAuthentication Resources in the list.

4. Click the [Save] button to save your changes to the new authentication profile.

41

3

Example of Importing User Accounts Using Active Directory

Example

1Example of Importing User Accounts Using

Active Directory

Overview

This chapter will walk you through an example of importing a user account from Active Directory. Although thischapter will illustrate the steps and concepts for this task, the values are specific to the example Active Directoryserver and will not work on your Active Directory system.

Although some of the values in this example are specific to Active Directory, you can use a very similar example toimport user accounts from LDAP.

Required Tasks

To configure the ScienceLogic platform to automatically create accounts for existing LDAP or AD users, you mustperform the following steps:

1. Create one or more user policies that define account properties and privilege keys in the ScienceLogicplatform for imported LDAP users or AD users.

l When creating the user policy, you must select LDAP/Active Directory in the Authentication Methodfield.

l You can create more than one user policy for imported user accounts.

l Later, in the LDAP/AD Auth Resource Editor page (System > Settings > Authentication> Resources > create/edit LDAP/AD Resource), you specify the user policy to apply to imported useraccounts.

2. Create an LDAP or AD credential that allowsthe ScienceLogic platform to read from (and optionally, writeto) the LDAP or AD directory.

42

A

43

3. Define the LDAP/AD Authentication Resource.

l Specify how the ScienceLogic platform should communicate and exchange information with the LDAPor Active Directory server.

l Specify how the ScienceLogic platform should map LDAP or AD attribute values to fields in theAccount Properties page.

l Specify whether the ScienceLogic platform should remain synced with the LDAP/AD server. If an LDAPor AD administrator makes changes to an account, the ScienceLogic platform can automaticallyretrieve those updates and apply them to the user's account in the ScienceLogic platform (in theAccount Properties page) the next time the user logs in to the ScienceLogic platform.

4. Define one or more Authentication Profiles that tellthe ScienceLogic platform how to recognizeLDAP/AD users and which Authentication Resource to use with those users.

5. After completing these steps:

l Each LDAP/AD user must log in to the ScienceLogic platform using the LDAP or AD username and theLDAP or AD password.

l The ScienceLogic platform will examine the hostname or IP address in the incoming URL request toalign the user with an Authentication Profile.

l The Authentication Profile tells the ScienceLogic platform which Authentication Resources to use toauthenticate the user.

l The ScienceLogic platform will use the settings and the credentials defined in the LDAP/ADAuthentication Resource to query the LDAP or AD directory to authenticate each user.

l Optionally, the ScienceLogic platform will use the mappings and the user policy specified in theLDAP/AD Authentication Resource to create each user account. The username will match the SearchField in the LDAP/AD Authentication Resource.

Example of Importing User Accounts Using Active Directory

Example of Importing User Accounts Using Active Directory

Example Entry in Active Directory

Suppose we have an entry in Active Directory that looks like this:

NOTE: For details on how the attribute names map to the page displays in Active Directory, see theappropriate Active Directory documentation.

# kgibson, Users, ScienceLogicHQ, sciencelogic.localdn: samaccountname=kgibson,ou=Users,ou=ScienceLogicHQ,dc=sciencelogic,dc=localsamaccountname: kgibsoncn: Kate GibsonuserPassword:: ilovedocs!department: documentationstreetaddress: 12369 Sunrise Valley Drivel: Restonst: VAc: USpostalCode: 20191mail: kgibson@sciencelogic.comtelephoneNumber: 703-354-1010facsimiletelphonenumber: 571-336-8000mobile: 703-354-1011pager: 703-354-1111givenName: Katesn: Gibson

In this entry, we have a user named "kgibson", who resides in the ou called "Users", in the ou called"ScienceLogicHQ" in the domain "sciencelogic.local". We'll use this information when configuring theScienceLogic platform to authenticate this user.

Creating a User Policy

When you configure the ScienceLogic platform to automatically create user accounts for Active Directory users orLDAP users, you must define one or more user policies for those imported accounts. Because you will not becreating the accounts manually and then manually defining the account properties, the platform uses the userpolicy to define the properties for the user account.

For our example, we performed the following:

1. Go to the User Policies page (Registry > Accounts > User Policies).

2. Click the [Create] button. The User Policy Properties Editor page appears.

44

A

45

3. In the User Policy Properties Editor page, we supplied the following values:

l Policy Name. Name of the user policy. Can be any combination of alphanumeric characters, up to64 characters in length. We entered AD_Imported.

l Login State. Specifies whether user accounts created with the policy can log in to the ScienceLogicplatform. We selected Active. This means that as soon as the policy creates an account, the accountuser can log in to the platform.

l Account Type. This drop-down contains an entry for each standard account type. These account typesaffect the list of Access Keys for the user. We selected User.

o User. Accounts of type "user" are assigned Access Keys. Access Keys are customizable by theadministrator and grant users access to pages and tabs and permit users to view information andperform tasks in the platform. These Access Keys are defined by the system administrator from theAccess Keys page (System >Manage > Access Keys).

l Password Strength, Password Expiration, Password Shadowing, Require Password Reset.These fields aren't used for LADAP/AD Authentication, so you can skip these fields.

l Password Strength. We selectedGood. The user's password must have a strength ofGood to beauthenticated.

Example of Importing User Accounts Using Active Directory

Example of Importing User Accounts Using Active Directory

l Password Expiration. We selected 60 days. After 60 days the user will be forced to change theirpassword.

l Password Shadowing. We selected Default. The user will not be able to reuse any password fromthe past year.

l Require Password Reset. We did not select this checkbox. The user will not have to reset theirpassword at their next login.

l Authentication Method. We selected LDAP/Active Directory. This selection is required. The user'susername and password will then be authenticated by the Active Directory server or the LDAP server.

l Restrict to IP. We left this field blank. If selected, the user will be allowed to access the platform onlyfrom the specified IP. Specify the IP address in standard dotted-decimal notation.

l Event Console Default Display. Specifies how the Event Console page will appear by default. Wechose Flat events table.

l Ticket QueueMemberships. We highlighted the ticket queues specifying which users will bemembers. In our example, this is Documentation.

l Primary Organization. Specifies the primary organization. We selected System. This will be thedefault organization for user accounts created with this policy. You can select from a list of allorganizations in the ScienceLogic platform.

l Theme. Backgrounds, colors, fonts, and graphics that will appear when a user logs in. We selectedScienceLogic: White + Blue Titlebars.

l Time Zone. The time zone to associate with each user account created with this user policy. WeselectedNew_York. Dates and times in the platform will be displayed for the selected time zone.

l Organization Memberships. User accounts created with this user policy will be members of eachselected organization.Wedid not select any additional organizations.

l Privilege Keys. The Privilege Keys pane displays a list of Access Keys that can be assigned to theuser's account. We selectedGrant All. This means the user can access all parts of the platform (butcannot create or edit additional Access Keys).

l Re-Apply All Settings to All Policy Members. We left this field unchecked.

4. Click the [Save] button to save your new user policy.

Creating a Credential for Active Directory

When you configure the ScienceLogic platform to automatically create user accounts for Active Directory users, youmust define one or more credentials, so the platform can communicate with the Active Directory server. Theplatform must communicate with the AD server, both to authenticate each user and to retrieve information abouteach user to include in each user's user account.

For our example, we performed the following:

1. Go to the Credential Management page (System >Manage > Credentials).

2. Click the [Actions]menu, then select LDAP/AD Credential.

46

A

47

3. The Credential Editormodal page appears. In this page, you can define the new credential.

4. Supply a value in each of the following fields:

l Profile Name. Name of the credential. We specified ScienceLogic AD.

l LDAP Type. Specifies the type of LDAP implementation running on the directory server. We selectedActive Directory.

l Hostname/IP. Hostname or IP address of the Active Directory server. We supplied the IP address ofthe Active Directory server (192.168.10.21).

l Secure. Specifies whether you are using the "LDAP over SSL" protocol. We selectedNo.

l Port. Port number on the LDAP or Active Directory server to which the platform will send requests. Weaccepted the default port value (389).

l Timeout. We accepted the default value of 10000.

l RDN (Bind DN / bind user). This field specifies the bind DN. The bind DN is an account on theActive Directory server or the LDAP server that is allowed to search the directory within the specifiedsearch base. We entered:

%u@%d

This says that the bind DN "kgibson@ScienceLogic.local" will allow the platform to authenticate theuser and retrieve information about that user.

o In the platform, the %u variable stores the latest username from the login page.

o In the platform, the %d variable stores the value specified in the field LDAP Domain.

o To configure the platform to automatically create accounts when a user logs in with an AD nameand password, you must include the %u variable in this field.

o When an AD user logs in to the platform, the platform stores the username in the %u variable. Theplatform then uses the %u variable to build the bind DN, uses the bind DN to communicate with theAD server, and then asks the AD server to authenticate the current user.

l LDAP Domain. If your LDAP or Active Directory configuration includes multiple domains, specify thedomain components to bind to in this field. We entered ScienceLogic.local.

Example of Importing User Accounts Using Active Directory

Example of Importing User Accounts Using Active Directory

l Bind Password. Password that allows access to the Active Directory server or the LDAP server. In mostcases, when you specify a bind password in a credential, you are creating a "write" credential (that is, acredential that allows the platform to make changes to the LDAP or AD server). We left this fieldblank.

l User Search Base. Specify where in the AD directory to find the user accounts to import, using RDNnotation. The search base tells the platform which part of the external directory tree to search. Weentered:

ou=Users,ou=ScienceLogicHQ,dc=ScienceLogic,dc=local

This specifies that the platform can import any Active Directory account in the ou "Users", in theparent ou "ScienceLogicHQ", in the domain "ScienceLogic.local". Any users in any ou that is a childto the ou "Users" will also be imported.

NOTE: For details on search syntax for Active Directory, see http://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx. For details on the search syntax for LDAP, seehttp://www.faqs.org/rfcs/rfc2254.html.

l User Search Scope. Specify whether the ScienceLogic platform should search only the directoryspecified in the User Search Base field or whether the platform should search the directory specifiedin the User Search Basefield and all its child branches. We selectedOne Level.

5. Click the [Save] button to save your changes to the credential.

Creating an LDAP/AD Authentication Resource

An Authentication Resource is a configuration policy that describes how the ScienceLogic platform shouldcommunicate with a user store. In this manual, the user store is an Active Directory user store. TheLDAP/AD Auth Resource Editor page allows you to define an Authentication Resource for use with an AD userstore. An LDAP/AD Authentication Resource specifies the connector (communication software) to use tocommunicate with the AD user store and the credential to use to connect to the user store. An LDAP/ADAuthentication Resource can also map attributes from the user's AD account to fields in the user account on theScienceLogic platform.

48

A

49

To create an LDAP/AD Authentication Resource:

1. Go to the Authentication ResourceManager page (System > Settings > Authentication > Resources).

2. In the Authentication ResourceManager page, click the [Actions]menu and then selectCreateLDAP/AD Resource. The LDAP/AD Auth Resource Editor page appears.

3. Enter values in the following fields:

Basic Settings

l Name. Name of the LDAP/AD Authentication Resource. Enter Import_AD_Resource.

Example of Importing User Accounts Using Active Directory

Example of Importing User Accounts Using Active Directory

l Read Credential. Select the credential we created earlier, ScienceLogic AD. This credential allowsthe ScienceLogic platform to read data from an Active Directory server.

l Write Credential. Leave this field blank.

NOTE: Your organization membership(s) might affect the list of credentials you can see in the ReadCredential field and theWrite Credential field.

l User Name Suffix. Leave this field blank.

l Search Filter. Specifies where to find the user's account information in Active Directory. Enter thefollowing:

(samaccountname=%u)

This says to search for the samaccountname attribute that matches the login name (entered whenthe user logs in to the ScienceLogic platform and then store in the variable %u).

l Sync directory values to EM7 on login. If the AD administrator makes changes to an AD account,the ScienceLogic platform will automatically retrieve those updates and apply them to the user'saccount in the ScienceLogic platform (in the Account Properties page) the next time the user logs into the ScienceLogic platform.

l Sync EM7 values to directory on save. If an administrator made changes to the user account in theScienceLogic platform, the ScienceLogic platform will automatically write those changes to the user'saccount in LDAP or Active Directory. This option requires a write credential.

Attribute Mapping

If you have configured the ScienceLogic platform to automatically create accounts in theScienceLogic platform for AD users, these fields specify the AD attribute value that will beautomatically inserted into each field in each user's Account Properties page.

The ScienceLogic platform automatically populates as many of these fields as possible. You can editor delete the default values provided by the ScienceLogic platform.

For example, the ScienceLogic platform automatically inserts the value of the AD attribute "sn"(surname) into the Last Name field in each user's Account Properties page (Registry > Devices >Device Manager.

NOTE: the ScienceLogic platform requires that the LDAP or AD attribute name that you specify in each fielduses all lowercase characters.

l First Name. Specifies the AD attribute value that will be automatically inserted into the First Namefield in each user's Account Properties page. By default, the ScienceLogic platform inserts the valueof the AD attribute "givenname" into this field. We accepted the default value.

50

A

51

l Last Name. Specifies the AD attribute value that will be automatically inserted into the Last Namefield in each user's Account Properties page. By default, the ScienceLogic platform inserts the valueof the AD attribute "sn" into this field. We accepted the default value.

l Phone. Specifies the AD attribute value that will be automatically inserted into the Phone field in eachuser's Account Properties page. By default, the ScienceLogic platform inserts the value of the ADattribute "telephonenumber" into this field. We accepted the default value.

l Mobile. Specifies the AD attribute value that will be automatically inserted into theMobile field ineach user's Account Properties page. By default, the ScienceLogic platform inserts the value of theAD attribute "mobile" into this field. We accepted the default value.

l Primary Email. Specifies the AD attribute value that will be automatically inserted into the PrimaryEmail field in each user's Account Properties page. By default, the ScienceLogic platform inserts thevalue of the AD attribute "mail" into this field. We accepted the default value.

l Street Address. Specifies the AD attribute value that will be automatically inserted into the StreetAddress field in each user's Account Properties page. By default, the ScienceLogic platform insertsthe value of the AD attribute "streetaddress" into this field. We accepted the default value.

l Suite/Building. Specifies the AD attribute value that will be automatically inserted into theSuite/Building field in each user's Account Properties page.

l City. Specifies the AD attribute value that will be automatically inserted into the City field in each user'sAccount Properties page. By default, the ScienceLogic platform inserts the value of the AD attribute"l" into this field. We accepted the default value.

l State. Specifies the AD attribute value that will be automatically inserted into the State field in eachuser's Account Properties page. By default, the ScienceLogic platform inserts the value of the ADattribute "st" into this field. We accepted the default value.

l Postal Code. Specifies the AD attribute value that will be automatically inserted into the Postal Codefield in each user's Account Properties page. By default, the ScienceLogic platform inserts the valueof the AD attribute "postalcode" into this field. We accepted the default value.

l We accepted the default values (usually a blank field) in all other fields.

User Policy Alignment

l Type. Specifies whether the ScienceLogic platform should automatically create accounts in theScienceLogic platform for each LDAP or Active Directory user in the search base (which is specified inthe credential), whether the ScienceLogic platform should simply use LDAP or Active Directory toauthenticate one or more users, or whether the ScienceLogic platform will refuse to authenticatespecific users. We selected :

o Static policy alignment. If an LDAP or AD user logs in to the ScienceLogic platform using the LDAPor AD attribute specified in the Search Filter field, the ScienceLogic platform will automaticallycreate an account for that user. The ScienceLogic platform will use one user policy (specified inthe Policy field) to create all imported LDAP or AD user accounts. The ScienceLogic platform willalso use the settings and credentials specified in this page when creating the account.

Example of Importing User Accounts Using Active Directory

Example of Importing User Accounts Using Active Directory

If you selected Static policy alignment in the Type field, you must supply a value in the Policy field:

l Policy. Specifies the user policy to use to automatically create an account in the ScienceLogic platformfor each LDAP or AD user. Select from a list of all user policies that specify LDAP /Active Directory inthe Authentication Method field. We selected the User Policy we created earlier, AD_Imported.

4. Click the [Save] button to save your changes to the new Authentication Resource.

Creating an Authentication Profile

An Authentication Profile is a policy for user authentication. Authentication Profiles align user accounts with oneor more Authentication Resources.

l Alignment by pattern matching. The ScienceLogic platform uses the URL or IP address that a user enters ina browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL orIP address matches the criteria specified in an authentication profile, the ScienceLogic platform willautomatically use the matching profile to perform user authentication.

l Credential Source. Specifies from where the ScienceLogic platform should extract the user name andpassword or certificate to be authenticated. These credentials are passed to the ScienceLogic platform viaHTTP. The ScienceLogic platform then passes the credentials to each Authentication Resource specified inthe Authentication Profile. The Authentication Resources authenticate the credentials with user stores.

l Authentication Resource. Specifies the connector to use to communicate with the user store, the credentialto use to connect to the user store (if applicable), and the URLs to examine during authentication. Also mapsattributes from the user's account in the user store to fields in the the ScienceLogic platform user account.

The Authentication Profiles page allows you to create a new authentication profile. To do so:

1. Go to the Authentication Profiles page (System > Settings > Authentication > Profiles).

52

A

53

2. Click the [Create] button. The Authentication Profile Editormodal page appears.

3. In the Authentication Profile Editormodal page, you can define the new authentication profile.

l Name. Name of the Authentication Profile. We entered Import_AD_Profile.

l Priority Order. If the ScienceLogic platform includes multiple Authentication Profiles, the platformevaluates the Authentication Profiles in ascending priority order. The platform will apply the firstAuthentication Profile that matches the Hostname or IP in the current URL AND has the lowest value inthe Priority Order field. We accepted the default value, 1.

l Pattern Type. Specifies how the ScienceLogic platform will evaluate the value in the AP HostnamePattern field. We selectedWildcard. The ScienceLogic platform will perform a text match, withwildcard characters (asterisks).

l AP Hostname Pattern. This field is used to match the URL or IP address that a user enters in abrowser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URLor IP address matches the value in this field, the ScienceLogic platform applies the AuthenticationProfile to the user for the current session. We entered *.sciencelogic.com in this field.

The ScienceLogic platform will apply the Authentication Profile to each session on an AdministrationPortal, Database Server, or All-In-One Appliance where the user enters a URL ending with".sciencelogic.com" into the browser.

Example of Importing User Accounts Using Active Directory

Example of Importing User Accounts Using Active Directory

l Available Credential Sources. This field tells the ScienceLogic platform how to retrieve the user'scredentials from the HTTP request to the ScienceLogic platform. To align a credential source with theAuthentication Profile, highlight the credential source and click the right-arrow button. You can selectzero, one, or multiple credential sources for the Authentication Profile. We selected:

o EM7 Login Page. The ScienceLogic platform will retrieve a user name and password from theScienceLogic platform login page fields.

l Aligned Credentials Sources. This field displays the list of credential sources that have been alignedwith the Authentication Profile. The Authentication Profile will examine each credential source in theorder in which it appears in this list. When the Authentication Profile finds the user's credential, theAuthentication Profile stops examining any remaining credential sources in the list.

l Available Authentication Resources.This field tells the ScienceLogic platform which AuthenticationResources to use to authenticate the retrieved credentials. To align an Authentication Resource withthe Authentication Profile, highlight the Authentication Resource and click the right-arrow button. Youmust select at least one Authentication Resource and can select more than one. We selected Import_AD_Resource.

l Aligned Authentication Resources. This field displays the list of Authentication Resources that havebeen aligned with the Authentication Profile. The Authentication Profile will examine eachAuthentication Resource in the order in which it appears in this list. When an Authentication Resourcesuccessfully authenticates the user, the Authentication Profile stops executing any remainingAuthentication Resources in the list.

4. Click the [Save] button to save your changes to the new authentication profile.

54

A

55

User Login to the ScienceLogic Platform

After completing the steps in this chapter:

1. Suppose user "kgibson" logs in to the ScienceLogic platform with the following credentials:

l Account: kgibson

l Password: ilovedocs!

2. The ScienceLogic platform will look for an account with an Account Login Name of "kgibson".

3. When examining the user's account information, the platform will discover that this user login is to beauthenticated with AD.

4. The platform will check the login request and match the originator's URL or IP address to an AuthenticationProfile. In our example, the originator's URL will match the Authentication Profile we created, Import_AD__Profile.

5. The Authentication Profile will tell the platform to extract the user's credentials from the ScienceLogic Loginpage and to use the Authentication Resource we created, Import_AD_Resource.

6. The Authentication Resource will tell the platform to use the credential we created, ScienceLogic AD, toconnect to the AD server. The platform will connect to the AD server using the bind dn value from the RDNfield in the credential. The value we entered was%u %d. So we will connect to the AD server using theusername "kgibson" in the domain "sciencelogic.local".

7. The platform will search the AD server using the value specified in Search Filter field in the AuthenticationResource. In our example, the platform will search for a record where the samaccountname attribute containsthe login name (entered when the user logs in to the ScienceLogic platform).

Example of Importing User Accounts Using Active Directory

Example of Importing User Accounts Using Active Directory

8. Based on the record found in the AD server, the ScienceLogic platform will ask the AD server to authenticatethe username and password that were passed to the ScienceLogic Login page.

9. After authentication, the ScienceLogic platform will retrieve values from the AD server to populate fields in theuser's Account Properties page.

56

A

Example of Only Authenticating User Accounts Using LDAP

Example

2Example of Only Authenticating User Accounts

Using LDAP

Overview

If you have already created Active Directory or LDAP accounts for users, you can use Active Directory or LDAP toauthenticate one or more of those users. Each Active Directory or LDAP user logs in to the ScienceLogic platformusing his/her Active Directory or LDAP username and password, and the platform will use Active Directory orLDAP to authenticate that user.

This chapter will walk you through an example of authenticating a user using LDAP. Although this chapter willillustrate the steps and concepts for this task, the values are specific to the example LDAP server and will not workon your LDAP system.

Although some of the values in this example are specific to LDAP, you can use a very similar example toauthenticate user accounts with Active Directory.

Required Tasks

You can use LDAP or Active Directory to authenticate one or more users when they log in to the ScienceLogicplatform. You can also specify that the ScienceLogic platform should not authenticate other LDAP or ActiveDirectory users.

l Each user logs in to the ScienceLogic platform, either through the login page, a CAC card or certificate, orHTTP. The user logs in to the ScienceLogic platform using an LDAP or AD attribute value as a login nameand the LDAP or AD password.

l The ScienceLogic platform examines the login request and applies the appropriate Authentication Profile(and the appropriate Authentication Resource(s)).

57

B

58

l The ScienceLogic platform then authenticates the user by communicating with the LDAP or Active Directoryserver.

If you want to use LDAP or Active Directory to only authenticate users (that is, you do not want the platform to importuser accounts from Active Directory or LDAP), you must manually create accounts in the ScienceLogic platform andspecify LDAP or AD authentication. To do this:

1. Create a user account in the ScienceLogic platform. . You can either create the account manually or youcan use a user policy to create the account.

l When creating the user policy, you must select LDAP/Active Directory in the Authentication Methodfield in the User Policy Properties Editor page Registry > Accounts > User Policies > create/editUser Policy.

l When creating the user account, you must select LDAP/Active Directory in the AuthenticationMethod field in the Account Permissions page (Registry > Accounts > User Accounts > edit useraccount)

2. Create an Active Directory or LDAP credential that allowsthe platform to read from (and optionally, writeto) the AD or LDAP directory. This credential allows the platform to connect to Active Directory or LDAP andauthenticate user accounts.

3. Define the LDAP/AD Authentication Resource.

l Specify how the ScienceLogic platform should communicate with the LDAP or Active Directory serverand exchange information with the LDAP or Active Directory server.

l In the Type field, select the following:

o Do not import new users or sync user policies. The ScienceLogic platform will use LDAP or AD onlyto authenticate users and will not create a new user each time an LDAP or AD user attempts toconnect to the ScienceLogic platform.

4. Define one or more Authentication Profiles that tellthe ScienceLogic platform how to recognizeLDAP/AD users and which Authentication Resource to use with those users.

5. After completing these steps:

l Each LDAP/AD user must log in to the ScienceLogic platform using the user name and password forthe ScienceLogic platform. This username must be identical to the LDAP or AD user ID for the user; thepassword must be identical to the LDAP or AD password.

l The ScienceLogic platform will examine the hostname or IP address in the incoming URL request toalign the user with an Authentication Profile.

l The Authentication Profile tells the ScienceLogic platform which Authentication Resources to use toauthenticate the user.

l The ScienceLogic platform will use the settings and the credentials defined in the LDAP/ADAuthentication Resource to query the LDAP or AD directory to authenticate each user.

Example of Only Authenticating User Accounts Using LDAP

Example of Only Authenticating User Accounts Using LDAP

Example Entry in LDAP

Suppose we have an entry like this in LDAP:

# tkrilly, People, sciencelogic.comdn: uid=tkrilly,ou=People,dc=sciencelogic,dc=comuid: tkrillycn: Ted KrillyobjectClass: topobjectClass: personobjectClass: inetOrgPersonuserPassword:: craggystreet: 100 Commonwealth Avenuel: Bostonst: MApostalCode: 02134mail: tkrilly@company.comtelephoneNumber: 617-776-2661mobile: 617-776-3000givenName: Tedsn: Krilly

In this entry, we have a user named "tkrilly", who resides in the ou called "People", in the domain"sciencelogic.com". We'll use this information when configuring the ScienceLogic platform to authenticate thisuser.

Creating a User Account that Will Be Authenticated withActive Directory or LDAP

User accounts allow users to log in to the ScienceLogic platform and access pages and features in the platform. Ifyou have already created a user account for a user in LDAP, you can create a separate user account for that user inthe platform and then ask Active Directory or LDAP to authenticate the user account.

For our example, we performed the following:

1. Go to the User Accounts page (Registry > Accounts > User Accounts).

2. Click the [Create] button. The Create New Account page appears.

59

B

60

3. In the Create New Account page, enter values in each of the following fields:

l First Name. User's first name. This value can be up to 24 characters in length. We entered Ted.

l Last Name. User's last name. This value can be up to 24 characters in length. We entered Krilly.

l Generate a unique name based on first and last name. Do not select this option.

l Account Login Name. Enter a value that is included in the Active Directory entry or LDAP entryfor the user.We entered the value of the uid for the user's account in LDAP. We entered tkrilly.

l Primary Email. The user's primary email address. We entered tkrilly@company.com.

l Password. Enter the user's LDAP password. We entered craggy!. To allow LDAP to authenticatethe user, the password must match the user's password in LDAP.

l Confirm Password. The user's password again. We entered craggy! again.

l Password Strength. We selectedGood. The user's password must have a strength of "Good" to beauthenticated.

l Password Expiration. We selected Disabled.

l Password Shadowing. We selected Default. The user will not be able to reuse any password fromthe past year.

l Require Password Reset. We did not select this checkbox. The user will not have to reset theirpassword at their next login.

l Organization. The organization of which the new user-account will be a member. We selectedSystem.

l Account Type. Specifies whether the user is a member of a user policy.

o Individual.We selected this option. User account is not a member of a user policy.

Example of Only Authenticating User Accounts Using LDAP

Example of Only Authenticating User Accounts Using LDAP

l Account Type.This drop-down contains an entry for each standard account type. These account typesaffect the list of Access Keys for the user.

o User.We selected this option. Accounts of type "user" are assigned Access Keys. Access Keys arecustomizable by the administrator and grant users access to pages and tabs and permit users toview information and perform tasks in the platform. These Access Keys are defined by a systemadministrator from the Access Keys page (System >Manage > Access Keys).

l Login State. Default login state for the user account.

o Active.We selected this option. Account is active, so the user can log in to the platform.

l Authentication Method. Specifies how the user's username and password will be authenticated.

o LDAP/Active Directory. Select this option. User's username and password are authenticated by anLDAP server or Active Directory server.

l Restrict to IP.Wedid not select this option and left the field blank. When an IP address is enteredin this field, the user will be allowed to access the platform only from the specified IP.

l Time Zone. Select the appropriate time zone to associate with the user account. We selected America/ New York.

4. Click the [Save] button to save the new user.

Defining a Credential for Authentication with LDAP

When you define user accounts that are authenticated with LDAP, you must define one or more credentials so theScienceLogic platform can communicate with the LDAP server. The platform must communicate with the LDAPserver to authenticate the specified users.

For our example, we performed the following:

1. Go to the Credential Management page (Credential Management).

2. Click the [Actions] drop-down menu and then selectCreate LDAP/AD Credential.

3. The Credential Editormodal page appears. In this page, you can define the new credential.

61

B

62

4. Supply a value in each of the following fields:

l Profile Name. Name of the credential. We enteredOpenLDAP User.

l LDAP Type. Specifies the type of LDAP implementation running on the directory server. We selectedLDAP.

l Hostname/IP . Hostname or IP address of the LDAP server. We entered 192.168.8.248.

l Secure. Specifies whether you are using the "LDAP over SSL" protocol. We selected no.

l Port . Port number on the LDAP server or Active Directory server to which the ScienceLogic platformwill send requests. We accepted the default port, 389.

l Timeout. We accepted the default value 10000.

l RDN (Bind DN / bind user). Specifies the bind DN. The bind DN is an account on the ActiveDirectory server or LDAP server that is allowed to search the directory within the specified search base.

o In the platform, the %u variable stores the latest username from the login page.

o In most LDAP configurations, each user has read-access to his or her own account.

o You can include the variable %u in this field. When an LDAP user logs in to the platform, theplatform stores the username in the %u variable. The platform then uses the %u variable to buildthe bind DN, uses the bind DN to communicate with the LDAP server, and then asks the LDAPserver to authenticate the current user.

We typed:

uid=%u,ou=People,dc=sciencelogic,dc=com

This creates a DN using the current login name as the uid. The bind DN will be the user's UID, in theou "People" in the domain "sciencelogic.com".

l LDAP Domain. If your LDAP or Active Directory configuration includes multiple domains, specify thedomain components to bind to in this field. Because our LDAP server includes only one domain, weleft this field blank.

l Bind Password. Password that allows access to the LDAP server. In most cases, when you specify abind password in a credential, you are creating a "write" credential (that is, a credential that allows theplatform to make changes to the LDAP server).We left this field blank.

l User Search Base. Specifies the area in the LDAP directory where the user to be authenticatedresides, using RDN notation. The search base tells the platform which part of the external directory treeto search. We entered:

ou=People,dc=sciencelogic,dc=com

This tells the platform to search for users to authenticate in the ou called "People " in the domain"sciencelogic.com" and also authenticate all users in any ou underneath "People".

Example of Only Authenticating User Accounts Using LDAP

Example of Only Authenticating User Accounts Using LDAP

NOTE: For details on search syntax for Active Directory, see http://msdn.microsoft.com/en-us/library/aa746475(VS.85).aspx. For details on the search syntax for LDAP, seehttp://www.faqs.org/rfcs/rfc2254.html

l User Search Scope. Specifies whether the ScienceLogic platform should search only the directoryspecified in the User Search Base field or whether the platform should search the directory specifiedin the User Search Base field and all its child branches. We selected Subtree, so the ScienceLogicplatform will search the specified directory and all child branches.

5. Click the [Save] button to save your changes to the credential.

63

B

64

Creating an LDAP/AD Authentication Resource

An Authentication Resource is a configuration policy that describes how the ScienceLogic platform shouldcommunicate with a user store. In this manual, the user store is an Active Directory user store. TheLDAP/AD Auth Resource Editor page allows you to define an Authentication Resource for use with an AD userstore. An LDAP/AD Authentication Resource specifies the connector (communication software) to use tocommunicate with the AD user store and the credential to use to connect to the user store. An LDAP/ADAuthentication Resource can also map attributes from the user's AD account to fields in the user account on theScienceLogic platform.

To create an LDAP/AD Authentication Resource:

1. Go to the Authentication ResourceManager page (System > Settings > Authentication > Resources).

Example of Only Authenticating User Accounts Using LDAP

Example of Only Authenticating User Accounts Using LDAP

2. Click the [Actions]menu and then selectCreate LDAP/AD Resource. The LDAP/AD Auth Resource Editorpage appears.

3. Enter values in the following fields:

Basic Settings

l Name. Name of the LDAP/AD Authentication Resource. Enter Authenticate__LDAP_Resource.

l Read Credential. Select the credential we created earlier,OpenLDAP User. This credential allowsthe ScienceLogic platform to read data from an Active Directory server.

l Write Credential. Leave this field blank.

NOTE: Your organization membership(s) might affect the list of credentials you can see in the ReadCredential field and theWrite Credential field.

l User Name Suffix. Leave this field blank.

l Search Filter. Specifies where to find the user's account information in LDAP . Enter the following:

(&(objectClass=person)(uid=%u))

This says to search the object class person and search for the uid attribute that matches the loginname (entered when the user logs in to the ScienceLogic platform and then store in the variable %u).

65

B

66

l Sync directory values to EM7 on login. If the LDAP administrator makes changes to anLDAP account, the ScienceLogic platform will automatically retrieve those updates and apply them tothe user's account in the ScienceLogic platform (in the Account Properties page) the next time theuser logs in to the ScienceLogic platform. Wee selected enable.

l Sync EM7 values to directory on save. If an administrator made changes to the user account in theScienceLogic platform, the ScienceLogic platform will automatically write those changes to the user'saccount in LDAP or Active Directory. This option requires a write credential. We accepted thedefault value of disable.

Attribute Mapping

In this example, the ScienceLogic platform uses LDAP to authenticate existing users. We therefore do notconfigure these settings.We deleted the default values and left each field blank.

User Policy Alignment

l Type. Specifies whether the ScienceLogic platform should automatically create accounts in theScienceLogic platform for each LDAP or Active Directory user in the search base (which is specified inthe credential), whether the ScienceLogic platform should simply use LDAP or Active Directory toauthenticate one or more users, or whether the ScienceLogic platform will refuse to authenticatespecific users. Because we are using LDAP or AD to authenticate users but not automatically createnew user accounts in the ScienceLogic platform, we selected the following:

o Do not authenticate new users from directory. Only those users who have an account alreadycreated in the ScienceLogic platform can log in to the ScienceLogic platform. However, if one ormore users' Account Permissions page specifies LDAP /Active Directory in the AuthenticationMethod field, the ScienceLogic platform will authenticate those users with either LDAP or ActiveDirectory, using the settings and credentials specified in this page.

4. Click the [Save] button to save your changes to the new Authentication Resource.

Creating an Authentication Profile

An Authentication Profile is a policy for user authentication. Authentication Profiles align user accounts with oneor more Authentication Resources.

l Alignment by pattern matching. The ScienceLogic platform uses the URL or IP address that a user enters ina browser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URL orIP address matches the criteria specified in an authentication profile, the ScienceLogic platform willautomatically use the matching profile to perform user authentication.

Example of Only Authenticating User Accounts Using LDAP

Example of Only Authenticating User Accounts Using LDAP

l Credential Source. Specifies from where the ScienceLogic platform should extract the user name andpassword or certificate to be authenticated. These credentials are passed to the ScienceLogic platform viaHTTP. The ScienceLogic platform then passes the credentials to each Authentication Resource specified inthe Authentication Profile. The Authentication Resources authenticate the credentials with user stores.

l Authentication Resource. Specifies the connector to use to communicate with the user store, the credentialto use to connect to the user store (if applicable), and the URLs to examine during authentication.

The Authentication Profiles page allows you to create a new authentication profile. To do so:

1. Go to the Authentication Profiles page (System > Settings > Authentication > Profiles).

67

B

68

2. Click the [Create] button. The Authentication Profile Editormodal page appears.

3. In the Authentication Profile Editormodal page, you can define the new authentication profile.

l Name. Name of the Authentication Profile. We entered Authenticate_LDAP_Profile.

l Priority Order. If the ScienceLogic platform includes multiple Authentication Profiles, the platformevaluates the Authentication Profiles in ascending priority order. The ScienceLogic platform will applythe first Authentication Profile that matches the Hostname or IP in the current URL AND has the lowestvalue in the Priority Order field. We accepted the default value, 1.

l Pattern Type. Specifies how the ScienceLogic platform will evaluate the value in the AP HostnamePattern field. We selectedWildcard. The ScienceLogic platform will perform a text match, withwildcard characters (asterisks).

l AP Hostname Pattern. This field is used to match the URL or IP address that a user enters in abrowser to connect to an Administration Portal, Database Server, or All-In-One Appliance. If the URLor IP address matches the value in this field, the ScienceLogic platform applies the AuthenticationProfile to the user for the current session. We entered *.sciencelogic.com in this field.

The ScienceLogic platform will apply the Authentication Profile to each session on an AdministrationPortal, Database Server, or All-In-One Appliance where the user enters a URL ending with".sciencelogic.com" into the browser.

Example of Only Authenticating User Accounts Using LDAP

Example of Only Authenticating User Accounts Using LDAP

l Available Credential Sources. This field tells the ScienceLogic platform how to retrieve the user'scredentials from the HTTP request to the ScienceLogic platform. To align a credential source with theAuthentication Profile, highlight the credential source and click the right-arrow button. You can selectzero, one, or multiple credential sources for the Authentication Profile. We selected:

o EM7 Login Page. The ScienceLogic platform will retrieve a user name and password from theScienceLogic platform login page fields.

l Aligned Credentials Sources. This field displays the list of credential sources that have been alignedwith the Authentication Profile. The Authentication Profile will examine each credential source in theorder in which it appears in this list. When the Authentication Profile finds the user's credential, theAuthentication Profile stops examining any remaining credential sources in the list.

l Available Authentication Resources.This field tells the ScienceLogic platform which AuthenticationResources to use to authenticate the retrieved credentials. To align an Authentication Resource withthe Authentication Profile, highlight the Authentication Resource and click the right-arrow button. Youmust select at least one Authentication Resource and can select more than one. We selectedAuthenticate_LDAP_Resource.

l Aligned Authentication Resources. This field displays the list of Authentication Resources that havebeen aligned with the Authentication Profile. The Authentication Profile will examine eachAuthentication Resource in the order in which it appears in this list. When an Authentication Resourcesuccessfully authenticates the user, the Authentication Profile stops executing any remainingAuthentication Resources in the list.

4. Click the [Save] button to save your changes to the new authentication profile.

69

B

70

User Login to the ScienceLogic Platform

After completing the steps in this chapter:

1. Suppose user "tkrilly" logs in to the ScienceLogic platform with the following:

l Account: tkrilly

l Password: craggy

2. The ScienceLogic platform will look for an account with an Account Login Name of "tkrilly".

3. When examining the user's account information, the platform will discover that this user login is to beauthenticated with LDAP.

4. The platform will check the login request and match the originator's URL or IP address to an AuthenticationProfile. In our example, the originator's URL will match the Authentication Profile we created, Authenticate_LDAP_Profile.

5. The Authentication Profile will tell the platform to extract the user's credentials from the ScienceLogic Loginpage and to use the Authentication Resource we created, Authenticate_LDAP_Resource.

6. The Authentication Resource will tell the platformto use the credential we created,OpenLDAP User, toconnect to the LDAP server. The platform will connect to the LDAP server using the value from the RDN fieldin the credential. The value we entered was uid=%u,ou=People,dc=sciencelogic,dc=com. So we willconnect to the LDAP server using the user name "tkrilly", in the ou "People", in the domains "sciencelogic"and "com".

Example of Only Authenticating User Accounts Using LDAP

Example of Only Authenticating User Accounts Using LDAP

7. The platform will search the LDAP server using the value specified in the Search Filter field in theAuthentication Resource. In our example, the platform will search the object class person and search for theuid attribute that matches the login name (entered when the user logs in to the ScienceLogic platform).

8. Based on the matching record found in the LDAP server, the ScienceLogic platform will ask the LDAP serverto authenticate the username and password that were passed to the ScienceLogic Login page.

71

B

© 2003 - 2017, ScienceLogic, Inc.

All rights reserved.

LIMITATION OF LIABILITY ANDGENERAL DISCLAIMER

ALL INFORMATION AVAILABLE IN THIS GUIDE IS PROVIDED "AS IS," WITHOUT WARRANTY OF ANYKIND, EITHER EXPRESS OR IMPLIED. SCIENCELOGIC™ AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES,EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.

Although ScienceLogic™ has attempted to provide accurate information on this Site, information on this Sitemay contain inadvertent technical inaccuracies or typographical errors, and ScienceLogic™ assumes noresponsibility for the accuracy of the information. Information may be changed or updated without notice.ScienceLogic™ may also make improvements and / or changes in the products or services described in thisSite at any time without notice.

Copyrights and Trademarks

ScienceLogic, the ScienceLogic logo, and EM7 are trademarks of ScienceLogic, Inc. in the United States,other countries, or both.

Below is a list of trademarks and service marks that should be credited to ScienceLogic, Inc. The ® and ™symbols reflect the trademark registration status in the U.S. Patent and Trademark Office and may not beappropriate for materials to be distributed outside the United States.

l ScienceLogic™l EM7™ and em7™l Simplify IT™l Dynamic Application™l Relational Infrastructure Management™

The absence of a product or service name, slogan or logo from this list does not constitute a waiver ofScienceLogic’s trademark or other intellectual property rights concerning that name, slogan, or logo.

Please note that laws concerning use of trademarks or product names vary by country. Always consult alocal attorney for additional guidance.

Other

If any provision of this agreement shall be unlawful, void, or for any reason unenforceable, then thatprovision shall be deemed severable from this agreement and shall not affect the validity and enforceabilityof any remaining provisions. This is the entire agreement between the parties relating to the matterscontained herein.

In the U.S. and other jurisdictions, trademark owners have a duty to police the use of their marks. Therefore,if you become aware of any improper use of ScienceLogic Trademarks, including infringement orcounterfeiting by third parties, report them to Science Logic’s legal department immediately. Report as muchdetail as possible about the misuse, including the name of the party, contact information, and copies orphotographs of the potential misuse to: legal@sciencelogic.com

800-SCI-LOGIC (1-800-724-5644)

International: +1-703-354-1010