|Applies to Product:||USM Appliance™||AlienVault OSSIM®|
This topic shows you how to configure USM Appliance to allow user authentication using LDAP, such as Microsoft Active Directory (AD). To create a user for LDAP authentication, see Create New Accounts for LDAP Users.
LDAP (Lightweight Directory Access Protocol) authentication can make user management simpler in larger environments by centralizing user accounts and passwords. For example, LDAP streamlines setting access to various systems and networks based on a user's role. Configuring USM Appliance to use LDAP authenticates users using their standard corporate domain credentials.
Important: LDAP logon names cannot have spaces in the name. Because USM Appliance usernames do not allow for spaces, a space in an LDAP username will not work in USM Appliance.
To enable USM Appliance to query LDAP for authorization, you must first create a service account in LDAP. For example, in Microsoft Active Directory, you configure an LDAP account as you would a user account.
To create an Active Directory service account
- Type the name of the person whose account you are setting up, and assign them a username for login.
Set a logon password, and select Password never expires or the option that best fits your company's or organization's policy.
Important: USM Appliance uses this account to access LDAP each time a user logs in. If the password expires and is not updated in USM Appliance, users will not be able to log in.
Configuring USM Appliance to Request Authentication through LDAP
Follow these instructions to configure USM Appliance to request user credential authentication from LDAP, rather than using data stored locally in USM Appliance.
To configure USM Appliance to request LDAP user authentication
- Log into the USM Appliance web interface and go to Configuration > Administration > Main.
- Click the Login Methods/Options section to expand it, and type the required values shown in the Login Methods/Options Values table.
Click Update Configuration to save changes.
Login Methods/Options Values Parameter Input Value Remote login key Required when using remote loggers. Otherwise you can leave it empty. See Configure the USM Appliance Logger after Deploymentfor details. Enable LDAP for login Yes LDAP server address LDAP server IP address. For example: 127.0.0.1 LDAP server port
389 (unencrypted) or 636 (SSL encrypted)
LDAP server SSL
Yes (Use LDAP server with SSL) or No
LDAP server TLS
Yes (Use LDAP server with TLS) or No
LDAP server baseDN
LDAP server distinguished name (DN) in the format of
For instance, if the DN is "example.com", you should enter
LDAP server filter for LDAP users
General LDAP: (&(cn=%u)(objectClass=account))
Active Directory: (&(sAMAccountName=%u)(objectCategory=person))
Note: To restrict LDAP access to specific users, use the UserAccountControl flags. For example, the entry below allows access to a normal user account:
See Microsoft documentation for additional options.
User Principal Name (UPN) of the user account in LDAP:
LDAP password for Username Password for the account referenced in LDAP Username. Require a valid ossim user for login
Yes — Controls user authorization by requiring creation of a user account in the USM Appliance with the same username as in LDAP.
No — A local account is not required for initial login. When using this option, the system will automatically create a LDAP enabled local user account using the specified entity assignment and menu template.
Local usernames are used to determine user permissions, for example, assigning menu templates and entities. An admin sets a password for the local account during its creation. After LDAP is set up, the local password is no longer used for authentication.
If you choose No, you must select a default entity from the Entity for new user list and a default menu template from the Menus for new user list. You then assign these to users who should be authenticated by LDAP.