Configure remote authentication through LDAP
The ExtraHop system supports the Lightweight Directory Access Protocol (LDAP) for authentication and authorization. Instead of storing user credentials locally, you can configure your ExtraHop appliance to authenticate users remotely with an existing LDAP server. Note that ExtraHop LDAP authentication only queries for user accounts; it does not query for any other entities that might be in the LDAP directory.
Before you begin
- This procedure requires familiarity with configuring LDAP.
- Ensure that each user is in a permission-specific group on the LDAP server before beginning this procedure.
- If you want to configure nested LDAP groups, you must modify the Running Configuration file. Contact ExtraHop Support for help.
When a user attempts to log onto an ExtraHop appliance, the ExtraHop system tries to authenticate the user in the following ways:
- Attempts to authenticate the user locally.
- Attempts to authenticate the user through the LDAP server if the user does not exist locally and if the ExtraHop system is configured for remote authentication with LDAP.
- Logs the user onto the ExtraHop system if the user exists and the password is validated either locally or through LDAP. The LDAP password is not stored locally on the ExtraHop system. Note that you must enter the username and password in the format that your LDAP server is configured for. The ExtraHop appliance only forwards the information to the LDAP server.
- If the user does not exist or an incorrect password is entered, an error message appears on the login page.
Important: | If you change LDAP authentication at a later time to a different remote authentication method, the users, user groups, and associated customizations that were created through remote authentication are removed. Local users are unaffected. |
- Log into the Admin UI on the ExtraHop appliance.
- In the Access Settings section, click Remote Authentication.
- From the Remote authentication method drop-down list, select LDAP and then click Continue.
-
On the LDAP Settings page, complete the following server
information fields:
-
Configure the following user settings:
-
To configure user group settings, select the Import user groups from
LDAP server checkbox and configure the following settings:
- Click Test Settings. If the test succeeds, a status message appears near the bottom of the page. If the test fails, click Show details to see a list of errors. You must resolve any errors before you continue.
- Click Save and Continue.
Next steps
Configure user privileges for remote authentication.Configure user privileges for remote authentication
You can assign user privileges to individual users on your ExtraHop appliance or configure and manage privileges through your LDAP server.
The ExtraHop appliance supports both Active Directory and Posix group memberships. For Active Directory, memberOf is supported. For Posix, memberuid, posixGroups, groupofNames, and groupofuniqueNames are supported.
Here is some information about the available fields:
Full access DN: Create and modify all objects and settings on the ExtraHop Web UI and Admin UI.
Read-write DN: Create and modify objects on the ExtraHop Web UI.
Limited DN: Create, modify, and share dashboards.
Personal DN: Create personal dashboards and modify dashboards shared with the logged-in user.
Node connection privileges DN: (Visible only on the Command appliance.): View a list of ExtraHop appliances that are connected to this Command appliance.
Full read-only DN: View objects in the ExtraHop Web UI.
Restricted read-only DN: View dashboards shared with the logged-in user.
Packet access full DN: View and download packets captured through the ExtraHop Trace appliance.
Packet and session key access full DN: View and download packets and any associated SSL session keys captured through the ExtraHop Trace appliance.
-
Choose one of the following options from the Permission assignment
options drop-down list:
- Obtain permissions level from remote
server
This option assigns privileges through your remote authentication server. You must complete at least one distinguished name (DN) field. To enable a user to download packet captures and session keys, configure the Packet access full DN or Packet and session keys access full DN field.
- Remote users have full write access
This option allows remote users to have full write access to the ExtraHop Web UI.
- Remote users have full read-only access
This option allows remote users to have read-only permissions to the ExtraHop Web UI.
- Remote users can view connected appliances
This option, which only appears on the Command appliance, allows remote users to log into the Admin UI on the Command appliance and view any connected Discover, Explore, and Trace appliances.
- Obtain permissions level from remote
server
-
Select one of the following options to allow remote users to download packet
captures and SSL session keys.
- No access
- Packets only
- Packets and session keys
- Click Save and Finish.
- Click Done.
Thank you for your feedback. Can we contact you to ask follow up questions?