5.11.2. Use LDAP to Authenticate to the Management Interfaces

download PDF
To use an LDAP directory server as the authentication source for the Management Console, Management CLI, or Management API, you need to perform the following procedures:
  1. Create an outbound connection to the LDAP server.
  2. Create an LDAP-enabled security realm.
  3. Reference the new security domain in the Management Interface.
Create an Outbound Connection to an LDAP Server

The LDAP outbound connection allows the following attributes:

Table 5.1. Attributes of an LDAP Outbound Connection
Attribute Required Description
url yes
The URL address of the directory server.
search-dn no
The fully distinguished name (DN) of the user authorized to perform searches.
search-credentials no
The password of the user authorized to perform searches.
initial-context-factory no
The initial context factory to use when establishing the connection. Defaults to com.sun.jndi.ldap.LdapCtxFactory.
security-realm no
The security realm to reference to obtain a configured SSLContext to use when establishing the connection.

Example 5.10. Add an LDAP Outbound Connection

This example adds an outbound connection with the following properties set:
  • Search DN: cn=search,dc=acme,dc=com
  • Search Credential: myPass
  • URL: ldap://
The first command adds the security realm.
The second command adds the LDAP connection.
Create an LDAP-Enabled Security Realm

The Management Interfaces can authenticate against LDAP server instead of the property-file based security realms configured by default. The LDAP authenticator operates by first establishing a connection to the remote directory server. It then performs a search using the username which the user passed to the authentication system, to find the fully-qualified distinguished name (DN) of the LDAP record. A new connection is established, using the DN of the user as the credential, and password supplied by the user. If this authentication to the LDAP server is successful, the DN is verified to be valid.

The LDAP security realm uses the following configuration attributes:
The name of the connection defined in outbound-connections to use to connect to the LDAP directory.
The fully defined filter used to search for a user based on the supplied user ID. The filter must contain a variable in the following format: {0}. This is later replaced with the user name supplied by the user.
The distinguished name of the context to begin searching for the user.
Whether the search should be recursive throughout the LDAP directory tree, or only search the specified context. Defaults to false.
The attribute of the user that holds the distinguished name. This is subsequently used to test authentication as the user can complete. Defaults to dn.
The name of the attribute to search for the user. This filter performs a simple search where the user name entered by the user matches the specified attribute.
This attribute determines whether an empty password is accepted. The default value for this attribute is false.
Either username-filter or advanced-filter must be specified
The advanced-filter attribute contains a filter query in the standard LDAP syntax, for example:

Example 5.11. XML Representing an LDAP-enabled Security Realm

This example uses the following parameters:
  • connection - ldap_connection
  • base-dn - cn=users,dc=acme,dc=com.
  • username-filter - attribute="sambaAccountName"
<security-realm name="ldap_security_realm">
      <ldap connection="ldap_connection" base-dn="cn=users,dc=acme,dc=com">
         <username-filter attribute="sambaAccountName" />


It is important to ensure that you do not allow empty LDAP passwords; unless you specifically desire this in your environment, it is a serious security concern.
EAP 6.1 includes a patch for CVE-2012-5629, which sets the allowEmptyPasswords option for the LDAP login modules to false if the option is not already configured. For older versions, this option should be configured manually

Example 5.12. Add an LDAP Security Realm

The command below adds an LDAP authentication to a security realm and sets its attributes for a host named master in the domain.
/host=master/core-service=management/security-realm=ldap_security_realm/authentication=ldap:add(base-dn="DC=mycompany,DC=org", recursive=true, username-attribute="MyAccountName", connection="ldap_connection")
Apply the New Security Realm to the Management Interface

After you create a security realm, you need to reference it in the configuration of your management interface. The management interface will use the security realm for HTTP digest authentication.

Example 5.13. Apply the Security Realm to the HTTP Interface

After this configuration is in place, and you restart the host controller, the web-based Management Console will use LDAP to authenticate its users.

Example 5.14. Apply the Security Realm to the Native Interface

Use the following command to apply the same settings to the native interface:
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.