Administration Tasks Not Performed in the Web Manager : Configuring Groups for Use with Authentication Servers : Configuring group authorization for LDAP authentication

Configuring group authorization for LDAP authentication
LDAP authentication can be provided by either a Windows Active Directory server or a server running OpenLDAP.
Configuring group authorizations on an Active Directory server
Perform the following procedures for configuring group authorization when a Windows Active Directory server is used for LDAP authentication.
To install Windows Administration Pack tools and configure the snap-in:
1.
2.
3.
In the Open field, type mmc /a and click OK. A console window appears.
4.
Click Console in the console window menu bar and select Add/Remove Snap-in.... The Add/Remove Snap-in window appears.
5.
Click Add. The Add Standalone Snap-ins window appears.
6.
Select Active Directory Schema from the list of snap-ins and click Add.
7.
Select ADSI Edit from the list of snap-ins and click Add.
8.
Click Close.
9.
Click OK in the Add/Remove Snap-in... window.
To configure Active Directory schema:
1.
In the server’s console window, double click Active Directory Schema. The paths Classes and Attributes appear.
2.
Double click Attributes and confirm that the info attribute is present.
3.
Double click Classes, locate the class Users and right-click to select Properties.
4.
Select the Attributes tab and click Add.
5.
To configure a group in ADSI Edit:
1.
2.
From the menu, select Action-Connect to.... The Connection window appears.
3.
The path Domain NC<domain>.com appears.
4.
Double click Domain NC<domain>.com. The expanded path DC=xxx,DC=xxx,DC=com appears.
5.
Double click DC=xxx,DC=xxx,DC=com.
The expanded class CN=Builtin, ... appears.
6.
Double click CN=Users. The expanded users list appears.
7.
Right-click on the name of a user and select Properties. The CN=<username> Properties window appears.
8.
9.
NOTE: To configure the user as an administrative user on the OnBoard appliance, add the admin group name to the definition.
10.
Defining groups in an info attribute on an LDAP server
The info attribute must be added to the LDAP definition on the authentication server and users must be assigned groups using the info attribute.
To configure groups on an LDAP authentication server:
1.
objectclass (1.3.6.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description $ info) )
2.
attributetype (0.9.2342.19200300.100.1.4 NAME 'info'
DESC 'RFC1274: general information’
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{2048} )
3.
NOTE: The slapd.conf file is normally located in: [Redhat] /etc/openldap or [bsd] /usr/local/etc/openldap.
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/cosine.schema
4.
5.
Use the ldapadd command or the ldapmodify command, assigning groups using the info attibute. For each user, assign any desired groups in an info definition using the following syntax.
NOTE: To give a user administrative access to the OnBoard appliance, add the admin group name to the above definition.