Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Appendix: LDAP and TACACS+ Authentication

This appendix is relevant only if you wish to use an LDAP or TACACS+ server to authenticate Paragon Active Assurance users.

Paragon Active Assurance supports the use of LDAP or TACACS+ to manage and authenticate its users in a centralized way. The authentication is then done using a remote server instead of the local Control Center user database.

When a user attempts to log in to Control Center, the latter sends an authorization request to the LDAP or TACACS+ server. Based on the response, Control Center grants or denies the user access to Paragon Active Assurance accounts as detailed in the response.

The following notes apply to both LDAP and TACACS+ unless otherwise indicated. "Server" is used below to refer to either technology.

  • If some account is defined twice in the mapping from LDAP/TACACS+ to Control Center, the user will receive the higher permission of the two granted. Thus, if the permission is set to "read" in one list element and to "admin" in another, the user will receive admin permission for that account.
  • If one permission mapping grants permission to one account and another mapping denies it, then the user will receive access to the account.
  • Account permissions are synchronized with the server on each user login. If the user is granted additional permissions by the Paragon Active Assurance local admin, these are valid only until the next time the user logs in. Conversely, if the user's privileges are changed on the server, these will not come into effect until next login.
  • If the user name entered at login matches the email address of an existing Control Center user, the login will proceed using that user rather than a new one being created. However, during server authentication, all user profile details except the password will be overwritten with what is stored on the server, insofar as these details have been defined. The user can still log in using the existing Control Center password. This means that select users can have the password set in Control Center, so that it is still possible to log in if the LDAP/TACACS+ server goes down.
  • If the user name entered at login does not exist in Control Center, the following happens:
    • For LDAP, the user's email address is read from the user email field. The name of this field can be changed using the setting AUTH_LDAP_USER_ATTR_MAP.
    • For TACACS+, no email field can be obtained from the server; instead, an attempt is made to parse the username entry as an email address.
    • If the email address is valid, it will be entered as email address in the Control Center database as well. However, the user will still have to log in with his LDAP/TACACS+ username.
    • If the email address is not valid, then:
      • For LDAP, an email address will be created with the structure username@LDAP_EMAIL_DOMAIN and entered into the database. Edit the settings file to change this domain.
      • For TACACS+ the same thing happens, but using the format username@<TACACSPLUS_EMAIL_DOMAIN>.

LDAP Authentication

We will illustrate this by reproducing a typical (OpenLDAP) server-side file with data preloaded into the LDAP database, and subsequently showing what corresponding configuration is necessary in Control Center.

Contents of ldap.ldif:

This creates a total of four users, two with write privileges (jsmith and jane.smith@example.com) and two with admin privileges (jdoe and jane.doe@example.com). Note how two of the users have their user name as uid, while the other two have a uid consisting of an email address.

In order to enable LDAP authentication in Control Center, the following attributes have to be provided in the settings file /etc/netrounds/netrounds.conf:

Most of the above follows what is documented at https://django-auth-ldap.readthedocs.io/en/latest/reference.html#settings.

TACACS+ Authentication

As for LDAP, we exhibit a typical server-side configuration file (for tac_plus from Pro-Bono-Publico: see http://www.pro-bono-publico.de/projects/tac_plus.html) and then show the necessary configuration in Control Center.

Contents of config.cfg:

This creates a total of four users, two of whom have admin privileges. Note how two of the users are identified by their user name, while the other two have user defined as an email address.

In order to enable TACACS+ authentication in Control Center, the following attributes need to be provided in the file /etc/netrounds/netrounds.conf: