Up
Previous Next

Sheriff CSM™

Configure LDAP in Sheriff CSM

This topic shows you how to configure Sheriff CSM to allow user authentication using LDAP, such as Microsoft Active Directory (AD). To create a user for LDAP authentication, see Create New Accounts for LDAP Users.

LDAP (Lightweight Directory Access Protocol) authentication can make user management simpler in larger environments by centralizing user accounts and passwords. For example, LDAP streamlines setting access to various systems and networks based on a user's role. Configuring Sheriff CSM to use LDAP authenticates users using their standard corporate domain credentials.

Important: LDAP logon names cannot have spaces in the name. Because Sheriff CSM usernames do not allow for spaces, a space in an LDAP username will not work in Sheriff CSM.

Creating an LDAP Service Account

To enable Sheriff CSM to query LDAP for authorization, you must first create a service account in LDAP. For example, in Microsoft Active Directory, you configure an LDAP account as you would a user account.

To create an Active Directory service account
  1. Type the name of the person whose account you are setting up, and assign them a username for login.
  2. Set a logon password, and select Password never expires or the option that best fits your company's or organization's policy.

    Important: Sheriff CSM uses this account to access LDAP each time a user logs in. If the password expires and is not updated in Sheriff CSM, users will not be able to log in.

    Microsoft Active Directory dialog boxes for account creation.

Configuring Sheriff CSM to Request Authentication through LDAP

Follow these instructions to configure Sheriff CSM to request user credential authentication from LDAP, rather than using data stored locally in Sheriff CSM.

To configure Sheriff CSM to request LDAP user authentication
  1. Log into the Sheriff CSM web interface and go to Configuration > Administration > Main.

  2. Click the Login Methods/Options section to expand it, and type the required values shown in the Login Methods/Options Values table.

  3. Click Update Configuration to save changes.

    Page to request LDAP authentication in Sheriff CSM.

    Login Methods/Options Values
    ParameterInput Value
    Enable LDAP for login Yes
    LDAP server address LDAP server IP address. For example: 127.0.0.1
    LDAP server port

    389 (unencrypted) or 636 (SSL encrypted)

    LDAP server SSL

    Yes (Use LDAP server with SSL) or No

    LDAP server TLS

    Yes (Use LDAP server with TLS) or No

    LDAP server baseDN

    LDAP server distinguished name (DN) in the format of

    dc=<domain>,dc=<domain suffix>

    For instance, if the DN is "example.com", you should enter dc=example,dc=com.

    LDAP server filter for LDAP users

    General LDAP: (&(cn=%u)(objectClass=account))

    Active Directory: (&(sAMAccountName=%u)(objectCategory=person))

    Note: To restrict LDAP access to specific users, use the UserAccountControl flags. For example, the entry below allows access to a normal user account:

    (&(sAMAccountName=%u)
    (objectCategory=person)
    (userAccountControl=512))

    See Microsoft documentation for additional options.

    LDAP Username

    User Principal Name (UPN) of the user account in LDAP:

    loginname@domain.suffix

    LDAP password for Username Password for the account referenced in LDAP Username.
    Require a valid Vigilante user for login

    Yes — Controls user authorization by requiring creation of a user account in the Sheriff CSM with the same username as in LDAP.

    No — A local account is not required for initial login. When using this option, the system will automatically create a LDAP enabled local user account using the specified entity assignment and menu template.

    Local usernames are used to determine user permissions, for example, assigning menu templates and entities. An admin sets a password for the local account during its creation. After LDAP is set up, the local password is no longer used for authentication.

    If you choose No, you must select a default entity from the Entity for new user list and a default menu template from the Menus for new user list. You then assign these to users who should be authenticated by LDAP.

Topic revision: r11 - 07 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.