IBM Guardium

 View Only

How to Set Up LDAP Authentication in Guardium Data Security Center with Microsoft Active Directory

By Anuj Shrivastava posted Mon December 02, 2024 03:48 PM

  

How to Set Up LDAP Authentication in IBM Guardium Data Security Center with Microsoft Active Directory

Setting up LDAP authentication with IBM Guardium Data Security Center (GDSC) enables centralized user management, leveraging Microsoft Active Directory (AD) for secure and streamlined access control. This detailed guide outlines the steps required to configure LDAP authentication in GDSC with Microsoft AD.

Why Use LDAP Authentication?

LDAP (Lightweight Directory Access Protocol) provides centralized control over users, groups, and permissions. Integrating LDAP with IBM Guardium Data Security Center ensures:

  • Unified and secure credential management.
  • Simplified user access provisioning and de-provisioning.
  • Compliance with organizational security policies.

Prerequisites

Before configuring LDAP, ensure the following:

  • Installed and running instances of IBM Guardium Data Security Center or Guardium Insights.
  • Active Directory server information:
    • Server URL: e.g., ldap://<IP>:<Port>.
    • Base Distinguished Name (DN): Directory root for user and group searches.
    • Bind DN: Service account for directory queries.
    • Bind DN Password: Account credentials.
  • LDAP port open between Guardium and AD (default: 389 for LDAP or 636 for LDAPS).

Step-by-Step Configuration

Before you login there are two steps which you need to follow, for a seemless integration:

  1. Get the Default login Credentials from OCP Cli (procedure given below) this you can use to log in to GDSC console initially.
  2. The LDAP server that you connect to must have a uid attribute in its schema.The LDAP server that you connect to must have a uid attribute in its schema. If it does not, you will need to update its ICS config map with an alternative.

For example, for an Active Directory LDAP server, you will have to specify sAMAccountName as the userName. To change the userName attribute mapping from the default uid to another value like sAmAccountName, edit the platform-auth-idp config map on your OCP cluster in the namespace where IBM® Common Services is installed. Change the userName field to the desired value. It is located under user in the default object, as shown here:

 

1. Log In to Guardium Data Security Center using default credentials 

  1. The default username to access the console is cpadmin. To retrieve the password, use these cli commands:
    oc get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_username}' -n $NAMESPACE | base64 -d | awk '{print $1}'
    oc get secret platform-auth-idp-credentials -o jsonpath='{.data.admin_password}' -n $NAME
  2. Open your browser and navigate to the GDSC interface.
  3. Log in with an administrative account.useusername cpadmin

The output that you receive, for example EwK9dj_example_password_lZSzVsA, is the password that is used for accessing the console. To change the default username (cpadmin) or password, see Changing the cluster administrator access credentials.

2. Navigate to LDAP Configuration

  1. To see the various settings, open the main menu. Open this menu by clicking the main menu icon  (main menu). Then click Configurations > LDAP configuration.
  2. In the LDAP connections page, click Add LDAP connection and then complete the LDAP configuration. 

    Configuring LDAP for Guardium Data Security Center

    1. Access Guardium Insights:
      Log in to the Guardium Insights web UI with admin credentials.

    2. Go to Authentication Settings:

      • Navigate to Settings > Authentication Settings under Connections.
      • Click Add Connection and select LDAP.
    3. Enter LDAP Connection Details:

      • Server URL: ldap://xxx.xxx.xxx.xxx:389.
      • Base Distinguished Name (DN): CN=Users,DC=example,DC=com.
    4. Configure Bind DN:

      • Bind DN: CN=Administrator,CN=Users,DC=example,DC=com.
      • Bind DN Password: Enter the password for the Bind DN (e.g., 123!ExamplePassword).
    5. Define User Filters and Mapping:

      • User Filter: (&(sAmAccountName=%v)(objectclass=user)).
      • User ID Map: user:sAmAccountName.
    6. Test and Save Configuration:

      • Click Test Connection to validate settings.
      • Save and enable the LDAP configuration.
    7. Verify Access:

      • Log out of the admin account.
      • Attempt to log in with an AD user account to confirm access.


3. Test the LDAP Connection

  1. Click the Test Connection button to verify the configuration.
  2. If the test fails, check the server URL, port, credentials, and search base settings.

4. Save and Activate

  1. Once the test is successful, save the configuration.
  2. Activate the LDAP connection to enable it as an authentication source.

5. Test LDAP configuration (optional)


Validate User Access

  1. Log out of the admin account in GDSC.
  2. Attempt to log in with a user account managed by AD.
  3. Confirm that the user has appropriate access based on their LDAP group membership.

Troubleshooting

  • Connection Issues: Ensure network connectivity between GDSC and the AD server. Verify that the firewall allows traffic on the specified port.
  • Authentication Fails: Double-check the Bind DN credentials and user search base settings.
  • Group Role Mapping Problems: Validate group filters and ensure that group attributes are correctly mapped.

Conclusion

Configuring LDAP authentication in IBM Guardium Data Security Center with Microsoft Active Directory simplifies user management and enhances security. By following this guide, you can successfully integrate AD with GDSC, ensuring a centralized and efficient access control system for your organization.

For more detailed information, refer to the official IBM documentation.

Reach out to us if you need further guidance. Let’s elevate your security operations together!

Tamil Selvam R - tamilselvam.ramalingam@ibm.com
Anuj Shrivastava  - ashrivastava@in.ibm.com
0 comments
17 views

Permalink