You can control access to Entuity by either internal or external user authentication.
To set up internal authentication:
By default, Entuity holds its user authentication details in its local security database.
When you install multiple Entuity servers with internal authentication, each Entuity server maintains its own user accounts, user groups and user preferences.
This independence allows user accounts and groups on different servers to share the same names, but have different definitions.
To set up external authentication (via LDAP):
You can integrate Entuity servers into environments where LDAP authentication systems are already implemented. External authentication can work with a single Entuity server and multiple Entuity servers running local security databases.
- In the Main Menu, click Administration.
- Click Account Management.
- Under the LDAP Settings section, click Add. This opens the LDAP Management page.
The first tab on this page is the Server Details tab. Here you can specify the connection details Entuity requires to connect to the LDAP server.
- Specify the type of authentication server in the Server Type field, either Windows AD or OpenLDAP/LDAPv3.
- Enter the name of the authentication server as displayed in Entuity in the Display Name field.
- Enter the IP address or resolved name of the authenticating LDAP server in the IP Address/Host Name field.
- Enter the port used by the LDAP server in the Port field. This is not required if using the default (which is 389, or for SSL 636).
- In the Bind Username as DN field, select Yes if your LDAP server only supports the bind operation using the DN format and you cannot construct a valid user DN using Entuity's expression formats. Selecting No will mean Entuity searches the LDAP server for the username.
- Enter the user account and password needed to access the LDAP server in the Lookup User Account and Lookup User Password fields. These are not necessary if the server supports anonymous login.
- Enter the starting point for searches in the LDAP directory in the Base DN field.
- Enter the domain name to use as the search base in the Domain Name field. This attribute only applies to Windows AD.
- Enter your preferred user search filter in the User Search Filter field. This field only applies when Bind Username as DN is set to No. This filter restricts the search to the user class and then compares the value to the sAMAccountName attribute.
- Specify your method of encrypting an LDAP connection in the Using SSL/TLS field. Choose No when not using TLS, LDAPS to use SSL, or Start TLS when using TLS.
The second tab on this page is the Group Searching tab. On this tab, you can specify the LDAP filter expression for performing the group search.
- In the User Refers to Groups field, select Yes so that Entuity searches for groups using the user's MemberOf attribute. Select No so that Entuity searches for groups based on Group Base DN and then which group's member contains the user.
- Enter the OpenLDAP/LDAPv3 attribute that sets how to search the groups in the Group Name Attribute field.
- Enter the domain base from which you search for groups in the Group Base DN field. If left empty, the search uses Base DN.
- Enter the group search filter in the Group Search Filter field. This only applies when User Refers to Groups is set to No.
- Specify the numbers of levels of parent groups a search will go, if the group is not found in the current parent group, in the Search Parent Groups (levels) field.
- Specify whether you want search to search for the group within all nested sub-groups in the Search Nested Groups field.
The third tab on this page is the Group Mapping tab. On this tab, you can map the user groups defined in Entuity to those groups defined on the LDAP server.
- Under the Group Mapping Policies section is a table listing all of the local groups defined on the Entuity server. You can sort the columns into ascending or descending order by clicking on the column heading.
- The local groups are listed under the Local Groups column. In the Mapped Users/Groups column, you will see one of the following:
- Complex XML Content - indicates security.config.xml has been directly edited and contains more complex conditions than the web UI can support.
- U:userName, G:groupName - indicates LDAP user accounts and groups associated with the Entuity group.
- All Users - indicates all LDAP users are mapped to the Entuity user group.
- Empty - there are no mapped LDAP users or user groups.
- Under the Server Access Policies section, you can select how access to the Entuity server is controlled. Select either:
- Allow Access for All Users - permit access to all users.
- Allow Access for Specific Users/Groups - allow access to only specified users and user groups.
- Once you have specified these parameters, click OK at the bottom of the browser to complete the LDAP authentication, otherwise click Cancel.
- Tick the Enable Emergency User box if you want to make the emergency user account available. This would be used when ENA cannot communicate with an LDAP server. Please see the article on emergency user account management for further help and information on this concept.
- Tick the Multiple Repositories Mode box if you want ENA to continue authenticating against other servers, even if a previous server reported an authentication failure. This enables you to have multiple LDAP servers with potentially differing sets of accounts. If left unticked (which is the default), ENA stops at the first server that it can connect to and the authentication result will be from this server (whether it is successful or not). This is in case you have mirrored LDAP servers for high availability.
- You will then need to click Apply LDAP Settings at the bottom of the Account Management page.
- This will open the Apply Settings window. Click Yes to enter your user account credentials to ensure you can log in with the new settings. If the user test is successful, the Entuity server will restart and apply the new settings.
To change password for LDAP logins
Applicable for ENA v17.0 P05 upwards
From ENA v17.0 P05 upwards, LDAP users can change their password through the account administration page as they would if they were authenticated internally. ENA will forward the request to the LDAP server.
When the password has expired, the user will be prompted to change their password upon login. Note, the password complexity rules specified for internal users will not be enforced for LDAP passwords, and must be configured on the LDAP server itself. LDAP servers can create their own password complexity, and there may be a conflict if they are different.