Vectra Cognito's LDAP Authentication supports the following configurations:
- Active Directory (AD) or any LDAP server such as OpenLDAP
- STARTTLS and PLAINTEXT are supported.
- LDAPS ( usually on port 636) is not supported as it's considered to be deprecated
- Authorization via LDAP is not supported. User and roles and RBAC must be defined locally in the Cognito Detect appliance.
- STARTTLS is an extension to the LDAP protocol which uses the TLS protocol to encrypt communication. It works by establishing a normal - i.e. unsecured - connection with the LDAP server before a handshake negotiation between the server and the Congito is carried out. The server sends its certificate to prove its identity before the secure connection is established.
- On Active directory to support STARTTLS the AD server must have an SSL certificate installed
Obtain the required information from your LDAP/AD Administrator:
- Bind DN/Password
- Base DN
- LDAP server URI and port
- Search filter
- STARTTLS - Yes/No
- Ensure firewalls are opened for the LDAP connection, outbound LDAP port from Brain, inbound on LDAP server
- Login to Cognito using an 'admin' account
- Click on Manage - External Authentication
- Create a new LDAP Profile
The following form will appear, please provide the following information:
- Profile Name: User-defined - must use only letters, numbers, dashes, periods, and colons
- : Example : uid=cognito,dc=vectra,dc=com , for Active Directory the path may look like : cn=cognito, dc=vectra,dc=com.
- To verify the path on Active directory server -> Choose the Organization Unit OU ->
- Password: password for BIND DN account
- Use TLS (STARTTLS) - (Yes or No) use Yes only if STARTTLS is supported on your LDAP Server. Otherwise, connection will fail.
- : Example: dc=example,dc=com
- URI: Example ldap://ldap-server:port If no port is defined we will use default TCP 389. The prefix ldap:// must be included. ldaps:// is not accepted.
- Search Filter: Search filter can't be blank. Example values include: uid, cn , dc, sAMAccountName. In Active Directory, the 'sAMAccountName' is the 'User Logon Name (pre-Windows 2000)' field. The User Logon Name field is referenced by 'cn'.
CN format is typically CN=Cool\Joe. sAMAccountName is used for user names such as jcool.
Full LDAP Example:
Creating new users
To create new users or replace existing users:
- Go to the Manage - Users tab.
- Make sure to select User Type - LDAP and select the appropriate profile and role.
For further troubleshooting information refer to the companion article: Troubleshooting LDAP Authentication