6.3 Centralized Authentication with LDAP - BlueCat Infrastructure Assurance - 25.2.0

BlueCat LiveAssurance User Guide
ft:locale
en-US
Product name
BlueCat Infrastructure Assurance
Version
25.2.0
By default, LiveAssurance stores authentication information in its local database. Optionally, you can use an external LDAP (Lightweight Directory Access Protocol) repository to access LiveAssurance.
Note: This feature only supports Microsoft Active Directory.

LiveAssurance supports a single integration with LDAP, which offers the benefits of ease of login, centralized identity management as well as Role assignment to Groups already present on the LDAP server.

LDAP Setup

To get started with configuration, navigate to the LDAP configuration by clicking on:

Settings > Integrations > Add New Integration > LDAP

  1. Enter the LDAP Endpoint, Base DN, username and password. The LDAP user should be in the user@domain.com format. Use port 636 to connect.
    Note: You can optionally enter the hostname of the LDAP endpoint.

    To verify the details before proceeding, click on the TEST button.

    Note: The groups should auto-populate based on the @domain of the username(s).

  2. Navigate to Settings > Groups > NEW LDAP GROUP, you should see the list of LDAP Groups LiveAssurance retrieved. Choose the LDAP group(s) you wish to add to the system.

  3. Select the New Groupbutton to assign a role for all the users within the added LDAP group.

From here, assign Group privileges (Roles) as usual. For more on this, see the sections dealing with Groups and Roles.

Any time you want to add a new LDAP group, repeat step 2 and 3.

With LDAP, there is no need to register individual users. Instead, you add the LDAP group to grant access to users belonging to the group.

The Group is saved to the WebUI, and LDAP users assigned to the group can login to LiveAssurance with their LDAP username, without the @domain details.

By default, LiveAssurance always attempts to use the local authentication mechanism first. If you do not allow local users in your environment, you should remove all the local users from the local database in order to enforce LDAP authentication.

At any attempted login, LiveAssurance first validates the credentials locally. If the credentials do not exist, and if an LDAP server is active, the username and password will be forwarded to the specified LDAP server for credential verification. LiveAssurance does not store the LDAP passwords locally. If the user does not belong to an LDAP group, access is not granted.