Integrating open LDAP with cnMaestro

Products cnMaestro
1

1. Overview

        This document presents basic configuration for cnMaestro Authentication Server Type with LDAP using the Ubuntu LDAP Server.

2. Introduction

        LDAP, or Lightweight Directory Access Protocol, is a protocol for managing related information from a centralized location through the use of a file and directory hierarchy.

It functions in a similar way to a relational database in certain ways, and can be used to organize and store any kind of information. LDAP is commonly used for centralized authentication

3. Installation

     Server Requirements:
              Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-116-generic x86_64)

              Assume that our LDAP server will be hosted on a machine with the FQDN of myldap.test.com

Step-1: sudo hostnamectl set-hostname myldap

Step-2: sudo nano /etc/hosts

            127.0.1.1 myldap.test.com myldap

            127.0.1.1 localhost

Step-3: sudo apt-get update

Step-4: sudo apt-get install slapd ldap-utils

  You will be asked below questions about how you'd like to configure

  • Omit OpenLDAP server configuration? No
  • DNS domain name? test.com 
  • Organization name? MYCOMPANY Administrator password?

  Note: Use the password you configured during installation, or choose another one 

  • Database backend to use? HDB
  • Remove the database when slapd is purged? No
  • Move old database? Yes
  • Allow LDAPv2 protocol? No

Step-5:
sudo apt-get install phpldapadmin 

Step-6: sudo nano /etc/phpldapadmin/config.php

   Search for the following sections and modify them accordingly

  • $servers->setValue('server','host','domain_nam_or_IP_address');
  • $servers->setValue('server','base',array('dc=test,dc=com'));
  • $servers->setValue('login','bind_id','cn=admin,dc=test,dc=com');

   Save and close the file

Step-7: sudo apt-get install gnutls-bin ssl-cert

Step-8: To create CA Template

     sudo mkdir /etc/ssl/templates

     cn = LDAP Server CA

     ca

     cert_signing_key

Step-9: Create the LDAP Service Template

     sudo nano /etc/ssl/templates/ldap_server.conf

     organization = "MyCOMPANY"

     cn = myldap.test.com

     tls_www_server

     encryption_key

     signing_key

     expiration_days = 3652

Step-10: Create CA Key and Certificate

   - sudo certtool -p --outfile /etc/ssl/private/ca_server.key
   - sudo certtool -s --load-privkey /etc/ssl/private/ca_server.key --template /etc/ssl/templates/ca_server.conf --outfile /etc/ssl/certs/ca_server.pem

Step-11: Create Service Key and Certificate
   - sudo certtool -p --sec-param high --outfile /etc/ssl/private/ldap_server.key
   - sudo certtool -c --load-privkey /etc/ssl/private/ldap_server.key --load-ca-certificate /etc/ssl/certs/ca_server.pem --load-ca-privkey /etc/ssl/private/ca_server.key --template /etc/ssl/templates/ldap_server.conf --outfile /etc/ssl/certs/ldap_server.pem

Step-12: sudo usermod -aG ssl-cert openldap
Step-13: sudo chown :ssl-cert /etc/ssl/private/ldap_server.key
Step-14: sudo chmod 640 /etc/ssl/private/ldap_server.key
Step-15: Configuring LDAP to use the CA and Keys
    nano addcerts.ldif

    dn: cn=config

    changetype: modify

    add: olcTLSCACertificateFile

    olcTLSCACertificateFile: /etc/ssl/certs/ca_server.pem

    -

    add: olcTLSCertificateFile

    olcTLSCertificateFile: /etc/ssl/certs/ldap_server.pem

    -

    add: olcTLSCertificateKeyFile

    olcTLSCertificateKeyFile: /etc/ssl/private/ldap_server.key


Step-16: sudo ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif

Step-17: sudo service slapd force-reload
Step1-18: sudo cp /etc/ssl/certs/ca_server.pem /etc/ldap/ca_certs.pem
Step-19: sudo nano /etc/ldap/ldap.conf

    . . .

    TLS_CACERT /etc/ldap/ca_certs.pem

    . . .

    Save and close the File

Step-20: ldapwhoami -H ldap:// -x -ZZ

Step-21: Lastly check /etc/default/slapd and make sure services contains ldaps:///:

      SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

      Restart slapd services

4. Log Into the Web Interface


 Step-1: User can log in to Web Interface by using
           - domain_name_or_IP_address/phpldapadmin                 

LDAP main Page.png

Step-2: Click Login and enter Login DN and Password used while configurating LDAP setup.

Login Page.png

Step-3: After logging in Create OU, Groups and Users

DC domain.png

Step-4: Create Organizational Units
  Select the specific dc name where the users will be created and click on “Create a child entry”, then select the Generic: Organisational Unit 

OU creation.png
OU creation.png995×351 45.3 KB
OU name.png
OU name.png865×378 42 KB


Step-5: Create Groups 
  Select OU and click on Create a child entry, then select Generic: Posix Group 
Groups.png
Group Name save.png
Group Name save.png495×533 14.2 KB


Step-6: Create Users 
  Select User Group created and click on Create a child entry, then select Generic: User    Account
  Click on “Create Object” and then “Commit” to save the settings.

Users Creation.png
Users Creation.png555×641 20 KB

User Save.png


Step-7: Add a new attribute for users to support as per the “Roles” defined in the cnMaestro 
            Click on “Add new attribute”, select employee type and enter the role attribute which matches the cnMaestro configuration.

User done.png
User done.png806×470 26.4 KB

Employee Name.png
Employee Name.png774×121 2.47 KB

Note:               
    Value in employeeType should match with the one of the Role Mappings of cnMaestro 
 

LDAP with Role.png
Note:       
    Existing LDAP setup users can add a new custom attribute employeeType and configure the values as per cnMaestro Role mappings values. 

5. Configure cnMaestro 

           Navigate to Application > Users > Authentication Servers in the cnMaestro On-Premises UI to add the LDAP Server details.

 CnMaestro Config.png

    - Make sure the IP Address/Hostname field value is the FQDN of LDAP server

    - Suffix is the distinguished Name of LDAP server in dc=xyz, dc=xyz format.
               Example: dc=camnwk and dc=com 
    - Base DN is login DN in cn=admin, dc=xyz, dc=xyx format
               Example: cn=admin, dc=camnwk and dc=com
Base-DN.JPG
    - LDAP Password is server password configured during installation.
    - Enable SSL/TLS and upload the root certificate.
    - The employeeType field must be configured according to role-mappings in cnMaestro configuration authentication configuration page and vice versa.

    - Navigate to Application > Users > Authentication and set the Primary Authentication to be the LDAP server just created.
    - Secondary Authentication will be automatically set to Local Users, which means if the LDAP server is not reachable, the UI can be accessed using the Local Users database (so it is important to change the default password).

          - If you are unable to log into the UI, you can create a One-Time password in the CLI in order to resolve the issue. (See the User Guide for details on Application Account Recovery).
                Here is the link to download the user guide:

                https://support.cambiumnetworks.com/files/cnmaestro/

 

6. Log into cnMaestro

  • Open a new browser and log into cnMaestro using the new username and password.
    Login should work without any issue for the new user created.
4 Likes
2

Great Guide!

3

Is it possible to implement LDAP search filters?
That is to limit to only specific AD groups can login (with “memberOf”).

I think currently the only distinction is by “employeeType”.
But I cannot have 2 cnMaestro instances with different role on each for a user.

4

does LDAP support at essential version ?

5

@Dlahiru

Yes, it does support essential version.

1 Like
6

Thanks , local user creation restricted with _ character , AD user format unable to change ?