Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

LDAP Authentication

 

You can configure JSA to use supported Lightweight Directory Access Protocol (LDAP) providers for user authentication and authorization.

JSA reads the user and role information from the LDAP server, based on the authorization criteria that you defined.

In geographically dispersed environments, performance can be negatively impacted if the LDAP server and the JSA console are not geographically close to each other. For example, user attributes can take a long time to populate if the JSA console is in North America and the LDAP server is in Europe.

You can use the LDAP plug-in for authentication against an Active Directory server. In JSA 2014.4 and earlier, you must configure the server to allow anonymous bind for authentication. However, in JSA 2014.5 and later versions, LDAP plug-in supports authenticated binds against an Active Directory server.

JSA 2014.4 and later versions, use local LDAP authentication passwords that are stored locally for administrative users. These passwords are used if the external authenticator is unavailable, or if a connection to the LDAP server is unavailable due to network issues.

In JSA 2014.4 and earlier, multiple LDAP server configurations are not supported. However, in JSA 2014.5 and later versions, multiple LDAP server configurations are fully supported and includes new authentication options.

Configuring LDAP Authentication

You can configure LDAP authentication on your JSA system.

If you plan to use SSL encryption or use TLS authentication with your LDAP server, you must import the SSL or TLS certificate from the LDAP server to the /opt/qradar/conf/trusted_certificates directory on your JSA console. For more information about configuring the certificates, see Configuring SSL or TLS certificatesIf you use an LDAP directory server for user authentication and you want to enable SSL encryption or TLS authentication, you must configure your SSL or TLS certificate..

If you are using group authorization, you must configure a JSA user role or security profile on the JSA console for each LDAP group that is used by JSA. Every JSA user role or security profile must have at least one Accept group. The mapping of group names to user roles and security profiles is case-sensitive.

Authentication establishes proof of identity for any user who attempts to log in to the JSA server. When a user logs in, the user name and password are sent to the LDAP directory to verify whether the credentials are correct. To send this information securely, configure the LDAP server connection to use Secure Socket Layer (SSL) or Transport Layer Security (TLS) encryption.

Authorization is the process of determining what access permissions a user has. Users are authorized to perform tasks based on their role assignments. You must have a valid bind connection to the LDAP server before you can select authorization settings.

User attribute values are case-sensitive. The mapping of group names to user roles and security profiles is also case-sensitive.

  1. On the navigation menu (), click Admin to open the admin tab.
  2. Click System Configuration >User Management > Authentication.
  3. From the Authentication Module list, select LDAP.
  4. Click Add and complete the basic configuration parameters.

    Learn more about LDAP basic configuration parameters:

    Table 1: LDAP Basic Configuration parameters

    Parameter

    Description

    Server URL

    The DNS name or IP address of the LDAP server. The URL must include a port value.

    For example, ldap://<host_name>:<port> or ldap://<ip_address>:<port>.

    SSL connection

    Select True or False to specify whether Secure Sockets Layer (SSL) encryption is enabled.

    If SSL encryption is enabled, the value in the Server URL field must specify a secure connection. For example, ldaps://secureldap.mydomain.com:636 uses a secure server URL.

    TLS authentication

    Select True or False to specify whether Transport Layer Security (TLS) authentication is enabled.

    Transport Layer Security (TLS) encryption to connect to the LDAP server is negotiated as part of the normal LDAP protocol and does not require a special protocol designation or port in the Server URL field.

    Search entire base

    Select True to search all subdirectories of the specified Directory Name (DN).

    Select False to search only the immediate contents of the Base DN. The subdirectories are not searched.

    LDAP user field

    The user field identifier that you want to search on.

    You can specify multiple user fields in a comma-separated list to allow users to authenticate against multiple fields. For example, if you specify uid,mailid, a user can be authenticated by providing either their user ID or their mail ID.

    User Base DN

    The Distinguished Name (DN) of the node where the search for a user would start. The User Base DN becomes the start location for loading users. For performance reasons, ensure that the User Base DN is as specific as possible.

    For example, if all of your user accounts are on the directory server in the Users folder, and your domain name is juniper.com, the User Base DN value would be cn=Users,dc=juniper,dc=com.

    Referral

    Select Ignore or Follow to specify how referrals are handled.

  5. Under Connection Settings, select the type of bind connection.

    Learn more about bind connections:

    Table 2: LDAP bind connections

    Bind connection type

    Description

    Anonymous bind

    Use anonymous bind to create a session with the LDAP directory server that doesn't require that you provide authentication information.

    Authenticated bind

    Use authenticated bind when you want the session to require a valid user name and password combination. A successful authenticated bind authorizes the authenticated user to read the list of users and roles from the LDAP directory during the session. For increased security, ensure that the user ID that is used for the bind connection does not have permissions to do anything other than reading the LDAP directory.

    Provide the Login DN and Password. For example, if the login name is admin and the domain is juniper.com, the Login DN would be cn=admin,dc=juniper,dc=com.

  6. Click Test connection to test the connection information.

    You must provide user information to authenticate against the user attributes that you specified in LDAP User Field. If you specified multiple values in LDAP User Field, you must provide user information to authenticate against the first attribute that is specified.

  7. Select the authorization method to use.

    Learn more about authorization methods:

    Table 3: LDAP authorization methods

    Authorization method parameter

    Description

    Local

    The user name and password combination is verified for each user that logs in, but no authorization information is exchanged between the LDAP server and JSA server. If you chose Local authorization, you must create each user on the JSA console.

    User attributes

    Choose User Attributes when you want to specify which user role and security profile attributes can be used to determine authorization levels.

    You must specify both a user role attribute and a security profile attribute. The attributes that you can use are retrieved from the LDAP server, based on your connection settings. User attribute values are case-sensitive.

    Group based

    Choose Group Based when you want users to inherit role-based access permissions after they authenticate with the LDAP server. The mapping of group names to user roles and security profiles is case-sensitive.

    Group base DN

    Specifies the start node in the LDAP directory for loading groups.

    For example, if all of your groups are on the directory server in the Groups folder, and your domain name is juniper.com, the Group Base DN value would be cn=Groups,dc=juniper,dc=com.

    Query limit enabled

    Sets a limit on the number of groups that are returned.

    Query result limit

    The maximum number of groups that are returned by the query. By default, the query results are limited to show only the first 1000 query results.

    By member

    Select By Member to search for groups based on the group members. In the Group Member Field box, specify the LDAP attribute that is used to define the users group membership.

    For example, if the group uses the memberUid attribute to determine group membership, type memberUid in the Group Member Field box.

    By query

    Select By Query to search for groups by running a query. You provide the query information in the Group Member Field and Group Query Field text boxes.

    For example, to search for all groups that have at least one memberUid attribute and that have a cn value that starts with the letter 's', type memberUid in Group Member Field and type cn=s* in Group Query Field.

  8. If you specified Group Based authorization, click Load Groups and click the plus (+) or minus (-) icon to add or remove privilege groups.

    The user role privilege options control which JSA components the user has access to. The security profile privilege options control the JSA data that each user has access to.

    Note

    Query limits can be set by selecting the Query Limit Enabled check box or the limits can be set on the LDAP server. If query limits are set on the LDAP server, you might receive a message that indicates that the query limit is enabled even if you did not select the Query Limit Enabled check box.

  9. Click Save.
  10. Click Manage synchronization to exchange authentication and authorization information between the LDAP server and the JSA console.
    1. If you are configuring the LDAP connection for the first time, click Run Synchronization Now to synchronize the data.

    2. Specify the frequency for automatic synchronization.

    3. Click Close.

  11. Repeat the steps to add more LDAP servers, and click Save when complete.

Synchronizing Data with an LDAP Server

You can manually synchronize data between the JSA server and the LDAP authentication server.

If you use authorization that is based on user attributes or groups, user information is automatically imported from the LDAP server to the JSA console.

Each group that is configured on the LDAP server must have a matching user role or security profile that is configured on the JSA console. For each group that matches, the users are imported and assigned permissions that are based on that user role or security profile.

By default, synchronization happens every 24 hours. The timing for synchronization is based on the last run time. For example, if you manually run the synchronization at 11:45 pm, and set the synchronization interval to 8 hours, the next synchronization will happen at 7:45 am. If the access permissions change for a user that is logged in when the synchronization occurs, the session becomes invalid. The user is redirected back to the login screen with the next request.

  1. On the navigation menu (), click Admin to open the admin tab.
  2. Click System Configuration >User Management > Authentication.
  3. In the Authentication Module list, select LDAP.
  4. Click Manage Synchronization >Run Synchronization Now.

Configuring SSL or TLS Certificates

If you use an LDAP directory server for user authentication and you want to enable SSL encryption or TLS authentication, you must configure your SSL or TLS certificate.

  1. Using SSH, log in to your system as the root user.
    1. User name: root

    2. Password: <password>

  2. Type the following command to create the /opt/qradar/conf/trusted_certificates/ directory:

    mkdir -p /opt/qradar/conf/trusted_certificates

  3. Copy the SSL or TLS certificate from the LDAP server to the /opt/qradar/conf/trusted_certificates directory on your system.
  4. Verify that the certificate file name extension is .cert, which indicates that the certificate is trusted.

    The JSA system loads only .cert files.

Displaying Hover Text for LDAP Information

You create an LDAP properties configuration file to display LDAP user information as hover text. This configuration file queries the LDAP database for LDAP user information that is associated with events, offenses, or assets (if available).

The web server must be restarted after the LDAP properties is created. Consider scheduling this task during a maintenance window when no active users are logged in to the system.

The following example lists properties that you can add to an ldap.properties configuration file.

  1. Use SSH to log in to JSA as a root user.
  2. To obtain an encrypted LDAP user password, run the following perl script:

    perl -I /opt/qradar/lib/Q1/ -e "use auCrypto; print Q1::auCrypto::encrypt ('<password>');"

  3. Use a text editor to create the /opt/qradar/conf/ldap.properties configuration file.
  4. Specify the location and authentication information to access the remote LDAP server.
    1. Specify the URL of the LDAP server and the port number.

      Use ldaps:// or ldap:// to connect to the remote server, for example, ldap.url=ldaps://LDAPserver.example.com:389.

    2. Type the authentication method that is used to access the LDAP server.

      Administrators can use the simple authentication method, for example, ldap.authentication=simple.

    3. Type the user name that has permissions to access the LDAP server.

      For example, ldap.userName=user.name .

    4. To authenticate to the remote LDAP server, type the encrypted LDAP user password for the user.

      For example, ldap.password=password .

    5. Type the base DN used to search the LDAP server for users.

      For example, ldap.basedn=BaseDN .

    6. Type a value to use for the search parameter filter in LDAP.

      For example, in JSA, when you hover over ldap.filterString=(&(objectclass=user)(samaccountname=%USER%)), the %USER% value is replaced by the user name.

  5. Type one or more attributes to display in the hover text.

    You must include at least one LDAP attribute. Each value must use this format: ldap.attributes.AttributeName=Descriptive text to show in UI.

  6. Verify that there is read-level permission for the ldap.properties configuration file.
  7. Log in to JSA as an administrator.
  8. On the Admin tab, select Advanced >Restart Web Server.

Administrators can hover over the Username field on the Log Activity tab and Offenses tab, or hover over the Last User field on the Assets tab (if available) to display more information about the LDAP user.

Multiple LDAP Repositories

You can configure JSA to map entries from multiple LDAP repositories into a single virtual repository.

If multiple repositories are configured, when a user logs in, they must specify which repository to use for authentication. They must specify the full path to the repository and the domain name in the user name field. For example, if Repository_1 is configured to use domain ibm.com and Repository_2 is configured to use domain ibm.ca.com, the login information might look like these examples:

  • OU=User Accounts,OU=PHX,DC=qcorpaa,DC=aa,DC=ibm.com\username

  • OU=Office,OU=User Accounts,DC=qcorpaa,DC=aa,DC=ibm.ca.com\username

User information is automatically imported from the LDAP server for repositories that use user attributes or group authorization. For repositories that use local authorization, you must create users directly on the JSA system.

Example: Least Privileged Access Configuration and Set Up

Grant users only the minimum amount of access that they require to do their day-to-day tasks.

You can assign different privileges for JSA data and JSA capabilities. You can do this assignment by specifying different accept and deny groups for security profiles and user roles. Accept groups assign privileges and deny groups restrict privileges.

Let's look at an example. Your company hired a group of student interns. John is in his final year of a specialized cyber security program at the local university. He was asked to monitor and review known network vulnerabilities and prepare a remediation plan based on the findings. Information about the company's network vulnerabilities is confidential.

As the JSA administrator, you must ensure that the student interns have limited access to data and systems. Most student interns must be denied access to JSA Vulnerability Manager, but John's special assignment requires that he has this access. Your organization's policy is that student interns never have access to the JSA API.

The following table shows that John must be a member of the company.interns and qvm.interns groups to have access to JSA Risk Manager and JSA Vulnerability Manager.

Table 4: User Role Privilege Groups

User Role

Accept

Deny

Admin

qradar.admin

company.firedemployees

QVM

qradar.qvm

qvm.interns

company.firedemployees

qradar.qrm

company.interns

QRM

qradar.qrm

company.interns

company.firedemployees

The following table shows that the security profile for qvm.interns restricts John from accessing the JSA API.

Table 5: Security Profile Privilege Groups

Security profile

Accept

Deny

QVM

qradar.secprofile.qvm

company.firedemployees

API

qradar.secprofile.qvm.api

company.firedemployees

qradar.secprofile.qvm.interns