Configure remote authentication through LDAP
The ExtraHop system supports the Lightweight Directory Access Protocol (LDAP) for authentication and authorization. Instead of storing user credentials locally, you can configure your ExtraHop appliance to authenticate users remotely with an existing LDAP server. Note that ExtraHop LDAP authentication only queries for user accounts; it does not query for any other entities that might be in the LDAP directory.
Before you begin
- This procedure requires familiarity with configuring LDAP.
- Ensure that each user is in a permission-specific group on the LDAP server before beginning this procedure.
- If you want to configure nested LDAP groups, you must modify the Running Configuration file. Contact ExtraHop Support for help.
When a user attempts to log onto an ExtraHop appliance, the ExtraHop system tries to authenticate the user in the following ways:
- Attempts to authenticate the user locally.
- Attempts to authenticate the user through the LDAP server if the user does not exist locally and if the ExtraHop system is configured for remote authentication with LDAP.
- Logs the user onto the ExtraHop system if the user exists and the password is validated either locally or through LDAP. The LDAP password is not stored locally on the ExtraHop system.
- If the user does not exist or an incorrect password is entered, an error message appears on the login page.
Important: | If you change LDAP authentication at a later time to a different remote authentication method, the users, user groups, and associated customizations that were created through remote authentication are removed. Local users are unaffected. |
- In the Access Settings section, click Remote Authentication.
- In the Methods section, select LDAP and click Continue.
-
On the LDAP Settings page, complete the following server
information fields:
-
Configure the following user settings:
-
To configure user group settings, select the Import user groups from
LDAP server checkbox and configure the following settings:
- Click Test Settings. If the test succeeds, a status message appears near the bottom of the page. If the test fails, click Show details to see a list of errors. You must resolve any errors before you continue.
- Click Save and Continue.
Next steps
Configure user privileges for remote authentication.Configure user privileges for remote authentication
You can assign user privileges to individual users on your ExtraHop appliance or configure and manage privileges through your LDAP server.
The ExtraHop appliance supports both Active Directory and Posix group memberships. For Active Directory, memberOf is supported. For Posix, memberuid, posixGroups, groupofNames, and groupofuniqueNames are supported.
Here is some information about the available fields:
Full access DN: Create and modify all objects and settings on the ExtraHop Web UI and Admin UI.
Read-write DN: Create and modify objects on the ExtraHop Web UI.
Limited DN: Create, modify, and share dashboards.
Personal DN: Create personal dashboards and modify dashboards shared with the logged-in user.
Node connection privileges DN: (Visible only on the Command appliance.): View a list of ExtraHop appliances that are connected to this Command appliance.
Read-only DN: View objects in the ExtraHop Web UI.
Read-limited DN: View dashboards shared with the logged-in user.
Packet access full DN: View and download packets captured through the ExtraHop Trace appliance.
-
Choose one of the following options from the Permission assignment
options drop-down list:
- To assign privileges through your remote authentication server, select Obtain permissions level from remote server, and complete at least one of the fields.
- To give all remote users full write access, select Remote users have full write access.
- To give all remote users read-only access, select Remote users have read-only access.
- To enable all remote users to download and view packets, select the Remote users can view and download packets checkbox.
- Click Save and Finish.
- Click Done.
Thank you for your feedback. Can we contact you to ask follow up questions?