Configuring the Masking Engine for LDAP/ Active Directory Authentication (KBA1787)
KBA
KBA#1787Applicable Delphix Versions
- Click here to view the versions of the Delphix engine to which this article applies
-
Major Release All Sub Releases 6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0, 6.0.8.1, 6.0.9.0, 6.0.10.0, 6.0.10.1, 6.0.11.0, 6.0.12.0, 6.0.12.1, 6.0.13.0, 6.0.13.1, 6.0.14.0, 6.0.15.0 5.3
5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0 5.2
5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1
At a Glance
Description: | This article describes the process of configuring the Continuous Compliance Engine (aka Masking) to authenticate logins using LDAP. |
---|---|
Applicable to: | This is applicable to all versions from version 5.2. |
Step 1: | Import the Certificate (by configuring LDAP on the Setup - note this will not configure LDAP for Masking). |
Step 2: | Prepare LDAP users on the Masking Engine. |
Step 3: | Configure LDAP on Masking in Application Settings using the API. |
Mask vDB: | See details below. |
Setup: | The best place to configure LDAP is during the initial engine Setup (startup). |
Re-Config: | If the LDAP configuration needs to be updated on the Masking Engine. Do this using the Masking API. Note: If the old LDAP configurations are not valid - it might be required to log a support call. |
Trobleshooting: | For information about investigating the logs: |
Prerequisites
Prior to proceeding familiarize yourself with the following prerequisites:
Required LDAP Information
Confirm you have access to the following information:
- Whether the LDAP server requires SSL/TLS connections
- LDAP Server Hostname (e.g.
dc1.mydomain.mycompany.com
) - LDAP Server Port (usually the default of 389, or 636 for SSL/TLS)
- LDAP Base DN (e.g.
DC=mydomain,DC=mycompany,DC=com
) - NETBIOS name of the Active Directory domain (e.g.
mydomain
), if your LDAP Server uses Microsoft Active Directory - LDAP Filter - for Active Directory, this is typically left at the default:
(&(objectClass=person)(sAMAccountName=?))
Required LDAP Accounts
You will need credentials for two LDAP accounts:
- A valid LDAP account to configure as an administrator, for testing login and creating future accounts (this may be your own)
- A service account, for the Virtualisation Engine to authenticate with the Masking Engine and launch masking jobs
- This account may not be required if you do not use the Virtualization components of the Delphix Engine
- You may need to request the creation of this account by your system administrators
Limitations
Be aware of the following restrictions and limitations:
- LDAP authentication is incompatible with local authentication. Once LDAP is enabled, existing users will only be able to log in if there is an LDAP account matching their username.
- Manual configuration by Delphix Support is required if you are authenticating against an LDAP Cluster.
Step 1 - Importing the Certificate
The Delphix Engine can import an LDAP Server's public SSL certificate. This must be done through the Virtualization Engine's Server Setup component, using the Authentication settings.
The Use LDAP and Protect LDAP traffic with SSL/TLS options must be checked, and an LDAP server (hostname or IP) provided, before the Import Server Certificate button will be activated.
Currently, these settings in the Server Setup page only affect whether the Virtualization Service is configured for LDAP. The configuration settings for the Masking Service (except for the certificate itself) are managed through the Masking API as detailed in the section Configure LDAP Settings below.
When you provide the proper server info and then click on the Import Server Certificate, the engine will request the public cert directly from the remote LDAP service and store it internally. This is also an excellent, early test to confirm that the host and port information is accurate.
Once the certificate is downloaded, you want to make sure that you add "LdapTlsEnable" to the list of application settings that you will configure in the section Configure LDAP Settings below.
This will provide details of the LDAP server's certificate, which can be accepted when you select Accept.
You could encounter the following errors.
- If the hostname/ port are simply wrong, (i.e. nothing there) you will receive a "Could not connect ..." error.
- If the hostname/ port are correct, but the service doesn't offer SSL, you will receive "An SSL handshake error occurred ..."
- If the hostname/ port refer to a service which doesn't understand your attempts to communicate, (i.e. connect to some other random service) there will be a delay followed by a "Communication Error".
Step 2 - Preparing New LDAP Users
Configuring LDAP users in advance is important. In most cases you will need to configure two users in advance and described above in "Required LDAP accounts".
To configure these accounts as users on the Masking Engine, log in as an administrative user:
- 6.x: http://mydelphixengine.mydomain.com/masking
- 5.3: http://mydelphixengine.mydomain.com:8282/masking
- Navigate to the Admin tab > Add User.
- Create a new user with a valid LDAP username in the User Name.
- Ensure that the Administrator checkbox is selected:
Step 3 - Configure LDAP Settings
The section provides instructions using the web-based API Client.
Instructions for performing this work using curl via the command line are included later in this document.
Authenticate to the Masking API
The Masking API Client is accessible using the following URL: http://mydelphixengine.mydomain:8282...ng/api-client/
To authenticate to the API Client:
- Select
- login group to open login-related operations.
- POST /login operation to open the login API call.
- Example Value textbox
Clicking this will populate the nearby textbox with the example values.
- Adjust the example values in the Value text box, setting the correct login details, specifying your existing, non-LDAP Masking Engine login:
- Click Try it out!.
If the login is successful, the Response Body will include an Authorization value which you can copy to your clipboard (not including the quotes).
- The authorization value should be input using the Authorize button in the header (at the very top of the page).
This step will unlock all of the other API operations for use.
Review Current LDAP Settings
A list of the available LDAP settings is available in the Masking API Client documentation. Alternatively, you can retrieve a list of all settings and their current values using the GET /application-settings
call.
The setting_group setting can be left blank to retrieve all settings, or you can enter ldap
to show all LDAP-specific configuration:
The response body will provide a list of settings in JSON format, including the Setting ID and current value:
... { "settingId": 31, "settingGroup": "ldap", "settingName": "LdapHost", "settingValue": "10.10.10.31" }, ...
Preparing to Apply New Settings
You can use the settingId
values (above) in conjunction with the LDAP information to prepare new values.
Note that changes to IDs or available settings do occasionally occur and we strongly suggest that you double-check the settings and matching IDs from your engine.
Setting | ID | Default Value | Description |
---|---|---|---|
Enable | 30 | false | Is LDAP authentication enabled? |
LdapHost | 31 | 10.10.10.31 | What is the host/IP for LDAP authentication? |
LdapPort | 32 | 389 | What is the port for LDAP authentication? |
LdapBasedn | 33 | DC=tbspune,DC=com | What is the baseDN for LDAP user entries? |
LdapFilter | 34 | (&(objectClass=person)(sAMAccountName=?)) | What is the LDAP filter to locate unique LDAP user entries? |
MsadDomain | 35 | AD | If LDAP server is Microsoft AD, what is the AD domain name / netbios name? |
LdapTlsEnable | 51 | false | Is LDAPS (SSL protected LDAP) being used? |
In many cases, it may only be necessary to update the LDAP Host, Base DN, AD Domain Name, and Enabled settings.
If your LDAP service is protected by SSL (LDAPS) and you uploaded the appropriate certificate as described in the section Import an SSL Certificate above, then you need to make sure to add "LdapTlsEnable" to the list of application settings that you will configure. You may also need to set your "LdapPort" to 636 as that is the default and most common port for LDAPS.
Prepare a list of the values that need to be changed Make sure to note the Setting ID (from the Review step) for each setting that you intend to change.
Apply New LDAP Settings
Expand the PUT /application-settings/{settingId} operation.
For each setting that you need to modify:
- Update the settingId value.
- Modify the body to set the correct value for that setting.
- Click Try it out! to send the API request to the Masking Engine.
- Confirm that the Response Body includes the correct setting, and that the Response Code is 200 (OK).
IMPORTANT: Apply the LDAP Enabled setting last!
Testing a New Masking Engine Login
Open your Masking Engine's login page in a new tab or window:
- 6.x: http://mydelphixengine.mydomain.com/masking
- 5.3: http://mydelphixengine.mydomain.com:8282/masking
- 5.2: http://mydelphixengine.mydomain.com:8282/dmsuite
You should be able to confirm that:
- You can no longer login with your former Masking Engine credentials
- You can now log in using the LDAP account that you configured earlier, using your correct LDAP password
If you cannot authenticate using your LDAP credentials, switch back to the browser tab containing the API client, and immediately proceed to the Rollback step.
Rollback
If the LDAP configuration is not successful, roll back the configuration immediately, by setting the LDAP Enabled setting to false.
You may wish to review the current LDAP settings using Reviewing Current LDAP Settings to verify that the values are set as expected.
The Logs option from the Admin section of the main Masking Engine UI may be useful in diagnosing the exact nature of any failure.
Configure LDAP Settings (curl)
As an alternative to the API client, it is possible to use curl from a Unix/Linux command line to configure LDAP settings.
Authentication Using curl
To authenticate to the Masking Engine using curl use the login API call:
curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' \ -d '{"username": "myusername", "password": "mypassword"}' \ 'http://mydelphixengine.mydomain:8282/masking/api/login'
If successful, this will return a message similar to the following:
{"Authorization":"f0d4dd35-0d2e-48bf-aca7-446d7c7a1690"}
This Authorization UUID should be used in the headers of all subsequent commands.
Review Current LDAP Settings
To retrieve current LDAP settings, call the application-settings GET API:
curl -X GET --header 'Accept: application/json' --header 'Authorization: f0d4dd35-0d2e-48bf-aca7-446d7c7a1690' \ 'http://mydelphixengine.mydomain:8282/masking/api/application-settings?setting_group=ldap&page_number=1'
This will return a lengthy JSON string containing all current LDAP parameters:
...{"settingId":31,"settingGroup":"ldap","settingName":"LdapHost","settingValue":"10.10.10.31"}...
Apply New LDAP Settings using curl
- Set the LDAP hostname
curl -X PUT --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: f0d4dd35-0d2e-48bf-aca7-446d7c7a1690' \ -d '{"settingValue": "10.10.10.31"}' \ 'http://mydelphixengine.mydomain:8282/masking/api/application-settings/31'
- Set the LDAP base DN
curl -X PUT --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: f0d4dd35-0d2e-48bf-aca7-446d7c7a1690' \ -d '{"settingValue": "DC=tbspune,DC=com"}' \ 'http://mydelphixengine.mydomain:8282/masking/api/application-settings/33'
- Set the AD Domain Name
curl -X PUT --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: f0d4dd35-0d2e-48bf-aca7-446d7c7a1690' \ -d '{"settingValue": "AD"}' \ 'http://mydelphixengine.mydomain:8282/masking/api/application-settings/35'
- Enable LDAP
curl -X PUT --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: f0d4dd35-0d2e-48bf-aca7-446d7c7a1690' \ -d '{"settingValue": "true"}' \ 'http://mydelphixengine.mydomain:8282/masking/api/application-settings/30'
To set other values, review the table from Preparing to apply these settings, earlier in this document.
Configure Virtualization to Masking Authentication
After setting up LDAP authentication, Delphix Virtualization Engines connected to the Masking Engine may no longer be able to retrieve or start masking jobs.
This is most easily confirmed by logging into the Management interface and looking at the status of recent MASKINGJOB_FETCH
jobs, which occur on each user login.
Now that the Masking engine will only allow LDAP logins, credentials for a valid LDAP account must be provided. This will likely be a service account such as svc_delphixmasking
.
Once an account has been prepared, the Delphix Command Line Interface (CLI) can be accessed by SSH, updating credentials as described in Configuring Virtualization Service for Masked Provisioning:
mydelphixengine> maskingjob mydelphixengine maskingjob> serviceconfig mydelphixengine maskingjob serviceconfig> ls Objects NAME SERVER PORT USERNAME CREDENTIALS SCHEME `MASKING_SERVICE_CONFIG-1 localhost 8282 admin { ... } HTTP mydelphixengine maskingjob serviceconfig> select `MASKING_SERVICE_CONFIG-1 mydelphixengine maskingjob serviceconfig '`MASKING_SERVICE_CONFIG-1'> update mydelphixengine maskingjob serviceconfig '`MASKING_SERVICE_CONFIG-1' update *> ls Properties type: MaskingServiceConfig credentials: type: PasswordCredential password: ******** port: 8282 scheme: HTTP server: localhost username: admin mydelphixengine maskingjob serviceconfig '`MASKING_SERVICE_CONFIG-1' update *> set username=svc_masking mydelphixengine maskingjob serviceconfig '`MASKING_SERVICE_CONFIG-1' update *> set credentials.password Enter credentials.password: ************ mydelphixengine maskingjob serviceconfig '`MASKING_SERVICE_CONFIG-1' update *> commit
To test whether the change was successful, log out and log back in to the Management interface, and confirm that the most recent MASKINJOBG_FETCH
job has a Status of COMPLETED
.