 |
Previous Next Sheriff CSM™
Configure LDAP in Sheriff CSM
This topic shows you how to configure Sheriff CSM to allow user authentication using LDAP, such as Microsoft Active Directory (AD). To create a user for LDAP authentication, see Create New Accounts for LDAP Users. LDAP (Lightweight Directory Access Protocol) authentication can make user management simpler in larger environments by centralizing user accounts and passwords. For example, LDAP streamlines setting access to various systems and networks based on a user's role. Configuring Sheriff CSM to use LDAP authenticates users using their standard corporate domain credentials. Important: LDAP logon names cannot have spaces in the name. Because Sheriff CSM usernames do not allow for spaces, a space in an LDAP username will not work in Sheriff CSM.Creating an LDAP Service Account
To enable Sheriff CSM to query LDAP for authorization, you must first create a service account in LDAP. For example, in Microsoft Active Directory, you configure an LDAP account as you would a user account. To create an Active Directory service account- Type the name of the person whose account you are setting up, and assign them a username for login.
-
Set a logon password, and select Password never expires or the option that best fits your company's or organization's policy.
Important: Sheriff CSM uses this account to access LDAP each time a user logs in. If the password expires and is not updated in Sheriff CSM, users will not be able to log in.
Configuring Sheriff CSM to Request Authentication through LDAP
Follow these instructions to configure Sheriff CSM to request user credential authentication from LDAP, rather than using data stored locally in Sheriff CSM. To configure Sheriff CSM to request LDAP user authentication-
Log into the Sheriff CSM web interface and go to Configuration > Administration > Main.
-
Click the Login Methods/Options section to expand it, and type the required values shown in the Login Methods/Options Values table.
-
Click Update Configuration to save changes.
Login Methods/Options Values
Parameter Input Value Enable LDAP for login Yes LDAP server address LDAP server IP address. For example: 127.0.0.1 LDAP server port 389 (unencrypted) or 636 (SSL encrypted)
LDAP server SSL Yes (Use LDAP server with SSL) or No
LDAP server TLS Yes (Use LDAP server with TLS) or No
LDAP server baseDN LDAP server distinguished name (DN) in the format of
dc=<domain>,dc=<domain suffix>For instance, if the DN is "example.com", you should enter
dc=example,dc=com.LDAP server filter for LDAP users General LDAP:
(&(cn=%u)(objectClass=account))Active Directory:
(&(sAMAccountName=%u)(objectCategory=person))Note: To restrict LDAP access to specific users, use the UserAccountControl flags. For example, the entry below allows access to a normal user account:
(&(sAMAccountName=%u)
(objectCategory=person)
(userAccountControl=512))See Microsoft documentation for additional options.
LDAP Username User Principal Name (UPN) of the user account in LDAP:
loginname@domain.suffix
LDAP password for Username Password for the account referenced in LDAP Username. Require a valid Vigilante user for login Yes — Controls user authorization by requiring creation of a user account in the Sheriff CSM with the same username as in LDAP.
No — A local account is not required for initial login. When using this option, the system will automatically create a LDAP enabled local user account using the specified entity assignment and menu template.
Local usernames are used to determine user permissions, for example, assigning menu templates and entities. An admin sets a password for the local account during its creation. After LDAP is set up, the local password is no longer used for authentication.
If you choose No, you must select a default entity from the Entity for new user list and a default menu template from the Menus for new user list. You then assign these to users who should be authenticated by LDAP.
