Start Demo

Configure remote authentication through LDAP

The ExtraHop system supports the Lightweight Directory Access Protocol (LDAP) for authentication and authorization. Instead of storing user credentials locally, you can configure your ExtraHop appliance to authenticate users remotely with an existing LDAP server. Note that ExtraHop LDAP authentication only queries for user accounts; it does not query for any other entities that might be in the LDAP directory.

Before you begin

  • This procedure requires familiarity with configuring LDAP.
  • Ensure that each user is in a permission-specific group on the LDAP server before beginning this procedure.
  • If you want to configure nested LDAP groups, you must modify the Running Configuration file. Contact ExtraHop Support for help.

When a user attempts to log onto an ExtraHop appliance, the ExtraHop system tries to authenticate the user in the following ways:

  • Attempts to authenticate the user locally.
  • Attempts to authenticate the user through the LDAP server if the user does not exist locally and if the ExtraHop system is configured for remote authentication with LDAP.
  • Logs the user onto the ExtraHop system if the user exists and the password is validated either locally or through LDAP. The LDAP password is not stored locally on the ExtraHop system.
  • If the user does not exist or an incorrect password is entered, an error message appears on the login page.
Important:If you change LDAP authentication at a later time to a different remote authentication method, the users, user groups, and associated customizations that were created through remote authentication are removed. Local users are unaffected.
  1. In the Access Settings section, click Remote Authentication.
  2. In the Methods section, select LDAP and click Continue.
  3. On the LDAP Settings page, complete the following server information fields:
    1. In the Hostname field, type the hostname or IP address of the LDAP server. If you are configuring a hostname, make sure that the DNS entry of the ExtraHop appliance is properly configured.
    2. In the Port field, type the port number on which the LDAP server is listening.
    3. From the Server Type drop-down, select Posix or Active Directory.
    4. (Optional): In the Bind DN field, type the bind DN. The bind DN is the user credentials that allow you to authenticate with the LDAP server to perform the user search. The bind DN must have list access to the base DN and any OU, groups, or user account required for LDAP authentication. If this value is not set, then an anonymous bind is performed. Note that anonymous binds are not enabled on all LDAP servers.
    5. (Optional): In the Bind Password field, type the bind password. The bind password is the password required when authenticating with the LDAP server as the bind DN specified above. If you are configuring an anonymous bind, leave this field blank. In some cases, an unauthenticated bind is possible, where you supply a Bind DN value but no bind password. Consult your LDAP administrator for the proper settings.
    6. From the Encryption drop-down, select one of the following encryption options.

      None: This options specifies cleartext TCP sockets. All passwords are sent across the network in cleartext in this mode.

      LDAPS: This option specifies LDAP wrapped inside SSL.

      StartTLS: This option specifies TLS LDAP. (SSL is negotiated before any passwords are sent.)

    7. Select Validate SSL Certificates to enable certificate validation. If you select this option, the certificate on the remote endpoint is validated against the root certificates as specified by the trusted certificates manager. You must configure which certificates you want to trust on the Trusted Certificates page. For more information, see Add a trusted certificate to your ExtraHop appliance.
    8. Type a time value in the Refresh Interval field or leave the default setting of 1 hour. The refresh interval ensures that any changes made to user or group access on the LDAP server are updated on the ExtraHop appliance.
  4. Configure the following user settings:
    1. Type the base DN in the Base DN field. The Base DN is the point from where a server will search for users. The base DN must contain all user accounts that will have access to the ExtraHop appliance. The users can be direct members of the base DN or nested within an OU within the base DN if the Whole Subtree option is selected for the Search Scope specified below.
    2. Type a search filter in the Search Filter field. Search filters enable you to define search criteria when searching the LDAP directory for user accounts.
      Important:The ExtraHop system automatically adds parentheses to wrap the filter and will not parse this parameter correctly if you add parentheses manually. Add your search filters in this step and in step 5b, similar to the following example: 
      cn=atlas*
|(cn=EH-*)(cn=IT-*)
      In addition, if your group names include the asterisk (*) character, the asterisk must be escaped as \2a. For example, if your group has a CN called test*group, type cn=test\2agroup in the Search Filter field.
    3. Select one of the following options from the Search Scope drop-down list. Search scope specifies the scope of the directory search when looking for user entities.

      Whole subtree: This option looks recursively under the group DN for matching users.

      Single level: This option looks for users that exist in the base DN only; not any subtrees.

  5. To configure user group settings, select the Import user groups from LDAP server checkbox and configure the following settings:
    1. Type the base DN in the Base DN field. The Base DN is the point from where a server will search for user groups. The base DN must contain all user groups that will have access to the ExtraHop appliance. The user groups can be direct members of the base DN or nested within an OU within the base DN if the Whole Subtree option is selected for the Search Scope specified below.
    2. Type a search filter in the Search Filter field. Search filters enable you to define search criteria when searching the LDAP directory for user groups.
      Important:For group search filters, the ExtraHop system implicitly filters on the objectclass=group, and so objectclass=group should not be added to this filter.
    3. Select one of the following options from the Search Scope drop-down list. Search scope specifies the scope of the directory search when looking for user group entities.

      Whole subtree: This option looks recursively under the base DN for matching user groups.

      Single level: This option looks for user groups that exist in the base DN; not any subtrees.

  6. Click Test Settings. If the test succeeds, a status message appears near the bottom of the page. If the test fails, click Show details to see a list of errors. You must resolve any errors before you continue.
  7. Click Save and Continue.

Next steps

Configure user privileges for remote authentication.

Configure user privileges for remote authentication

You can assign user privileges to individual users on your ExtraHop appliance or configure and manage privileges through your LDAP server.

When assigning user privileges through LDAP, you must complete at least one of the available fields. These fields require groups (not organizational units) that are pre-specified on your LDAP server. A user account with access must be a direct member of a specified group. User accounts that are a member of a group specified above will not have access. Groups that are not present are not authenticated on the ExtraHop appliance.

The ExtraHop appliance supports both Active Directory and Posix group memberships. For Active Directory, memberOf is supported. For Posix, memberuid, posixGroups, groupofNames, and groupofuniqueNames are supported.

Here is some information about the available fields:

Full access DN: Create and modify all objects and settings on the ExtraHop Web UI and Admin UI.

Read-write DN: Create and modify objects on the ExtraHop Web UI.

Limited DN: Create, modify, and share dashboards.

Personal DN: Create personal dashboards and modify dashboards shared with the logged-in user.

Node connection privileges DN: (Visible only on the Command appliance.): View a list of ExtraHop appliances that are connected to this Command appliance.

Read-only DN: View objects in the ExtraHop Web UI.

Read-limited DN: View dashboards shared with the logged-in user.

Packet access full DN: View and download packets captured through the ExtraHop Trace appliance.

  1. Choose one of the following options from the Permission assignment options drop-down list:
    • To assign privileges through your remote authentication server, select Obtain permissions level from remote server, and complete at least one of the fields.
    • To give all remote users full write access, select Remote users have full write access.
    • To give all remote users read-only access, select Remote users have read-only access.
    • To enable all remote users to download and view packets, select the Remote users can view and download packets checkbox.
  2. Click Save and Finish.
  3. Click Done.
Published 2020-01-22 20:52