Configuring Remote LDAP Authentication
You can interconnect your bastion host with the LDAP server to authenticate logins to the bastion host.
This topic describes how to configure the LDAP authentication mode.
Constraints
- One-click synchronization of LDAP server users is not supported.
- Identical configurations of two LDAP authentication servers are not allowed. Each LDAP server has unique combination of IP address, port number, and user OU.
Prerequisites
- You have the management permissions for the System module.
- You have obtained the information about the LDAP server.
Procedure
- Log in to your bastion host.
- Choose System > Sysconfig > Authenticate.
Figure 1 Configuring remote authentication
- Click Add in the LDAP Settings area.
LDAP supports the two authentication modes:
- If you select Auth for Auth Mode, configure the parameters by referring to Table 1.
Figure 2 Configuring LDAP authentication
Table 1 LDAP authentication parameters Parameter
Description
Server
Specifies the IP address of the LDAP server.
Status
Specifies whether to enable remote LDAP authentication. Remote LDAP authentication is enabled by default ().
- : LDAP authentication is enabled. Remote LDAP authentication is enabled when a user starts a login.
- : LDAP authentication is disabled.
SSL
Specifies whether to enable SSL encryption. SSL encryption is disabled by default ().
- : SSL encryption is disabled.
- : SSL encryption is enabled. After SSL encryption is enabled, data transmitted by synchronized users or authenticated users is encrypted.
Port
Specifies the access port of the remote LDAP server. The default port number is 389.
Mode
Select Auth Mode or Sync Mode.
- Auth Mode: The bastion host is interconnected with the AD server. To add a domain user, you need to manually select LDAP authentication on the user management page.
- Sync Mode: After the bastion host is connected to the AD server, you can choose and synchronize users under the corresponding OU to the bastion host.
User OU
Specifies the user organization unit (OU) on the LDAP server.
User Filter
Specifies the users to be filtered out on the LDAP server.
- Select Auth for Auth Mode and configure the parameters by referring to Table 2.
Querying authentication methods is supported in version version 3.3.36.0 and later only. To use this function, upgrade your bastion host to version 3.3.36.0 or later by referring to Upgrading the CBH System Version.
Figure 3 Inquire
Table 2 LDAP inquiring mode parameters Parameter
Description
Server
Specifies the IP address of the LDAP server.
Status
Specifies whether to enable remote LDAP authentication. Remote LDAP authentication is enabled by default ().
- : LDAP authentication is enabled. Remote LDAP authentication is enabled when a user starts a login.
- : LDAP authentication is disabled.
SSL
Specifies whether to enable SSL encryption. SSL encryption is disabled by default ().
- : SSL encryption is disabled.
- : SSL encryption is enabled. After SSL encryption is enabled, data transmitted by synchronized users or authenticated users is encrypted.
Port
Specifies the access port of the remote LDAP server. The default port number is 389.
Mode
Select Auth Mode or Sync Mode.
- The bastion host is interconnected with the AD server. To add a domain user, you need to manually select LDAP authentication on the user management page.
- After the CBH instance is connected to the AD server, you can choose and synchronize users under the corresponding OU to the bastion host.
Base DN
Base DN of the LDAP server.
Administrator DN
Administrator DN.
Administrator Password
Password of the administrator.
User OU
Specifies the user organization unit (OU) on the LDAP server.
User Filter
Specifies the users to be filtered out on the LDAP server.
- If you select Auth for Auth Mode, configure the parameters by referring to Table 1.
- Click OK. You can then view LDAP authentication configurations in the LDAP server list.
Follow-up Operations
- To view details of the configured LDAP authentication, click Details in the Operation column.
- To modify or disable LDAP authentication, click Edit in the Operation column and reconfigure LDAP authentication in the displayed dialog box.
- If the LDAP authentication is no longer required, click Delete in the Operation column to delete it. Deleted authentication information cannot be recovered. Exercise caution when performing this operation.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.