LDAP is classed as an open, vender neutral industry standard authentication mechanism used for accessing and maintaining distributed directory information services over an IP network. Currently Statseeker supports two authentication mechanisms, The first of these being local file authentication and the second one is native LDAP. Providing this type of feature to our existing and potential customers also aligns our product with external authentication mechanisms that are currently deployed in most corporate, government and educational institutions.
Caveats and Limitations
Below are some known limitation and caveats in relation to using the LDAP authentication method. Statseeker only supports authentication and some limited accounting pertaining to LDAP feature and does not provide any form of authorization. Authorization is managed manually within the Administration Tool by allocation permissions to users for group, device and interface access.
- Does not support any LDAP group configuration statements
- Has not been tested against an LDAP clustered environment
- Has not been tested on any secure LDAP server configurations using TLS/SSL
- The LDAP connection from the Statseeker server to the LDAP server currently does not support a bind username or password mechanism, meaning that the LDAP server must allow anonymous binds.
Enabling and Configuring LDAP Authentication
Currently the LDAP administration configuration option or link in the administration tool is a hidden feature by default and requires the Statseeker admin user to enable this via a change in the admin control configuration file. This file controls what links are shown in the administration tool and is a means to show or hide certain features if required. An additional item must be appended at the bottom of the file for the LDAP configuration link to become active and visible to the admin user.
File and Adjustments
The file is located in /home/statseeker/base/etc and is called admin-controls.cfg and the additional line that is required to enable the AD/LDAP feature is below.
'LDAP Config' '/cgi/base-cfg-user-authentication?mode=edit' 'frm_admin' 'resizable=yes'
Once this entry has been added to the admin-controls.cfg it is immediately available to the admin users and all that is required to see this option is a refresh to the browser to view the content change. The LDAP configuration link is located in the Statseeker Administration tool and access to this tool requires administrative privileges.
NIM Console -> Administration Tool -> Statseeker Custom Services -> LDAP Config
Server is the LDAP server hostname or IP Address, if you define a DNS name please make sure that you are able to resolve this DNS name on the Statseeker server.
Port is the LDAP server TCP port to use for connecting to the LDAP server.
Base_DN is the top level directory tree to use for querying the user configuration data in LDAP.
You will need to select the LDAP tick box to display the configuration entry boxes. Once you have applied your configuration you will need to select the save button to make the configuration persistent across web server restarts.
Statseeker by default provides some command line LDAP search tools that can be used to help aid in troubleshooting connectivity to a LDAP server from the Statseeker server.
The first step is to confirm that the Statseeker server can reach the LDAP server via network connectivity and this can be tested with an ICMP test using the ping command as per the below example.
/sbin/ping 10.2.1.219 PING 10.2.1.219 (10.2.1.219): 56 data bytes 64 bytes from 10.2.1.219: icmp_seq=0 ttl=64 time=0.021 ms 64 bytes from 10.2.1.219: icmp_seq=1 ttl=64 time=0.137 ms 64 bytes from 10.2.1.219: icmp_seq=2 ttl=64 time=0.120 ms 64 bytes from 10.2.1.219: icmp_seq=3 ttl=64 time=0.109 ms 64 bytes from 10.2.1.219: icmp_seq=4 ttl=64 time=0.130 ms 64 bytes from 10.2.1.219: icmp_seq=5 ttl=64 time=0.149 ms ^C --- 10.2.1.219 ping statistics --- 6 packets transmitted, 6 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.021/0.111/0.149/0.042 ms
If this is successful the next step is to confirm that the LDAP server port is open to connections based on the port that you defined in the LDAP configuration. You should be able to use the telnet command to test the connectivity to the LDAP port as per the below example. To close the connection, issue a CTRL-C to exit the telnet session.
telnet 10.2.1.219 389 Trying 10.2.1.219... Connected to test219.statseeker.com. Escape character is '^]'. ^CConnection closed by foreign host.
If either of the above two tests fail, it could be related to firewall rules, so it may be beneficial to request a packet trace through your local firewall to confirm if this is the case.
LDAP Search Tool
The last test if the above connectivity tests are successful is to use the ldapsearch tool that is provided as standard command with all Statseeker installations. This tool provides the ability to connect to the LDAP server and query the LDAP database for any or all fields based on your search criteria. Below are a few basic examples of using the ldapsearch tool.
- Example 1: Search all object classes using the Bind_DN defined in the above configuration.
ldapsearch -h 10.2.1.219 –p 389 -b "dc=statseeker,dc=com" -s sub "objectclass=*"
- Example 2: Search the LDAP database for a user with the comman name of Mark Thompson
ldapsearch -h 10.2.1.219 –p 389 -b "dc=statseeker,dc=com" -s sub "cn=Mark Thompson"
The below URL does provide some excellent examples of using the ldapserach tool if more information is required.