Local authentication into software or even hardware is useful for both the end user and the organization as a whole. Logging in with your network LDAP credentials limits the number of passwords you need to keep track of, and serves as an added security measure. In this blog, I will cover the basics of LDAP, as well as explain how to set up Scrutinizer for LDAP authentication.
What is LDAP and Why is It Great?
LDAP stands for Lightweight Directory Access Protocol. It’s used to look up contact and authentication information. For the end user, this is great because you no longer have to remember half a dozen different passwords for different applications.
On the network side, a network administrator can use LDAP to set permissions so that only certain people can have access to certain data. You can find a quick explanation of how this magic works here. That being said, if you want to limit users’ access to network applications, you can do that too!
Let’s Set Up LDAP Authentication
Imagine LDAP being like a bouncer for a club: you aren’t allowed in unless you’re on the special list. So let’s set up a bouncer for club Scrutinizer. This blog will be for versions 18.x and up. If you are running a version of Scrutinizer older than version 17.x then you can refer to this blog.
First, we need a couple pieces of information from your Active Directory server. We will need the following:
- an administrative distinguished name (DN)
- the administrator password,
- the type of ID attribute your company uses (e.g. sAMAccountName)
- the LDAP port
- the search base you want Scrutinizer to use to look up users,
- the SSL protocol your server uses
- the IP of the LDAP server.
You can define specific security groups too, but this is optional.
Note that the administrator DN and password must belong to an Active Directory user that has admin privileges.
Now that we have that info, lets log in to Scrutinizer via WebUI as the admin user.
Once in the WebUI, go to Admin > Security > LDAP Servers. Select the Add Server button and input the information we just gathered from your Active Directory server. Click Save.
If you want to test whether or not these credentials work, click on the server you just added, then select the Test tab in the popup window.
You can also define specific security groups. Let’s say we have a security group in Scrutinizer named “Scrut Admins.” You can create a new security group on your Active Directory server named “Scrut Admins” and once those users authenticate into Scrutinizer, they will be a member of that group in Scrutinizer automatically!
What If I Can’t Get It to Work?
For troubleshooting, the test button is the best place to start. This should give you a clear output as to what the problem is, e.g. “user not found” or “unable to connect to LDAP server.”
If Scrutinizer cannot find the user, you may need to verify the DN you used for the searchbase. The best way to check the searchbase is to:
- log in to the LDAP server as an admin;
- find your username;
- right-click and select properties, then attribute editor;
- find the “distinguishedName”. You should be able to double-click that line and copy and paste it into Scrutinizer. The same can be done for security groups.
If you’re still stuck, please don’t hesitate to reach out to our support team as we’d be happy to help out.
You Can’t Authenticate with Us (Actually You Can)
Now that you have LDAP set up, Scrutinizer is like an exclusive club that only the cool network admins and security admins can get into.
This exclusive club means only certain people can view your network information and have access to your network and security monitoring.If you want to configure our other forms of authentication, check out our blogs on configuring RADIUS and TACACS+.