Help Center/ Cloud Bastion Host/ User Guide/ User/ Remote Authentication Management/ Configuring Remote LDAP Authentication
Updated on 2024-12-03 GMT+08:00

Configuring Remote LDAP Authentication

You can interconnect your bastion host with the LDAP server to authenticate logins to the bastion host.

Constraints

  • One-click synchronization of LDAP server users is not supported.
  • Identical configurations of two LDAP authentication servers are not allowed. Each LDAP server has unique combination of IP address, port number, and user OU.

Prerequisites

  • You have the management permissions for the System module.
  • You have obtained the information about the LDAP server.

Procedure

  1. Log in to your bastion host.
  2. Choose System > Sysconfig > Authenticate.

    Figure 1 Configuring remote authentication

  3. Click Add in the LDAP Settings area.

    LDAP supports the two authentication modes:

    • If you select Auth for Auth Mode, configure the parameters by referring to Table 1.
      Figure 2 Configuring LDAP authentication
      Table 1 LDAP authentication parameters

      Parameter

      Description

      Server

      Specifies the IP address of the LDAP server.

      Status

      Specifies whether to enable remote LDAP authentication. Remote LDAP authentication is enabled by default ().

      • : LDAP authentication is enabled. Remote LDAP authentication is enabled when a user starts a login.
      • : LDAP authentication is disabled.

      SSL

      Specifies whether to enable SSL encryption. SSL encryption is disabled by default ().

      • : SSL encryption is disabled.
      • : SSL encryption is enabled. After SSL encryption is enabled, data transmitted by synchronized users or authenticated users is encrypted.

      Port

      Specifies the access port of the remote LDAP server. The default port number is 389.

      Mode

      Select Auth Mode or Sync Mode.

      • Auth Mode: The bastion host is interconnected with the AD server. To add a domain user, you need to manually select LDAP authentication on the user management page.
      • Sync Mode: After the bastion host is connected to the AD server, you can choose Systemconfig > Authenticate and synchronize users under the corresponding OU to the bastion host.

      User OU

      Specifies the user organization unit (OU) on the LDAP server.

      User Filter

      Specifies the users to be filtered out on the LDAP server.

    • Select Auth for Auth Mode and configure the parameters by referring to Table 2.

      Querying authentication methods is supported in version version 3.3.36.0 and later only. To use this function, upgrade your bastion host to version 3.3.36.0 or later by referring to Upgrading the Instance Version.

      Figure 3 Inquire

      Table 2 LDAP inquiring mode parameters

      Parameter

      Description

      Server

      Specifies the IP address of the LDAP server.

      Status

      Specifies whether to enable remote LDAP authentication. Remote LDAP authentication is enabled by default ().

      • : LDAP authentication is enabled. Remote LDAP authentication is enabled when a user starts a login.
      • : LDAP authentication is disabled.

      SSL

      Specifies whether to enable SSL encryption. SSL encryption is disabled by default ().

      • : SSL encryption is disabled.
      • : SSL encryption is enabled. After SSL encryption is enabled, data transmitted by synchronized users or authenticated users is encrypted.

      Port

      Specifies the access port of the remote LDAP server. The default port number is 389.

      Mode

      Select Auth Mode or Sync Mode.

      • The bastion host is interconnected with the AD server. To add a domain user, you need to manually select LDAP authentication on the user management page.
      • After the CBH instance is connected to the AD server, you can choose Systemconfig > Authenticate and synchronize users under the corresponding OU to the bastion host.

      Base DN

      Base DN of the LDAP server.

      Administrator DN

      Administrator DN.

      Administrator Password

      Password of the administrator.

      User OU

      Specifies the user organization unit (OU) on the LDAP server.

      User Filter

      Specifies the users to be filtered out on the LDAP server.

  4. Click OK. You can then view LDAP authentication configurations in the LDAP server list.

Follow-up Operations

  • To view details of the configured LDAP authentication, click Details in the Operation column.
  • To modify or disable LDAP authentication, click Edit in the Operation column and reconfigure LDAP authentication in the displayed dialog box.
  • If the LDAP authentication is no longer required, click Delete in the Operation column to delete it. Deleted authentication information cannot be recovered. Exercise caution when performing this operation.