LDAP/Active Directory

The Active Directory and LDAP authentication integration allows for the managing of NIM users, permission groups, and security groups in the directory service of choice.

The highlights of external authentication include:

  • Cross domain authentication

  • Auto create new users based on an Enabled Users group

  • Import and Merge users

  • Synchronize user attributes with NIM user attributes on login

  • Manage permission group membership from selected authentication service

  • Manage security group membership from selected authentication service

Login Format

When using external authentication, all user logins are defined by their User Principal Name (UPN) in the format of user@domain.com.

Active Directory requires that a userPrincipalName attribute is available for each user.

Note

If a single Active Directory is configured in NIM, then alternate UPN domains are allowed. If multiple Active Directories are defined, then the UPN for each user must match the domain they are attached to.

LDAP does not require that a specific userPrincipalName attribute is set on the user. NIM will construct a valid UPN from the defined user RDN setting and the domain FQDN.

Authentication Options

Navigate to the Admin/Security - Options tab and scroll down to Authentication Options to select the authentication service.

There are 3 options to use for authentication:

  • NIM - uses NIM’s internal authentication (default)

  • Active Directory - connects to an Active Directory server(s) for authentication

  • LDAP - connects to a LDAP server(s), such as openLDAP, for authentication

_images/nim5_admin_security_options_auth.png

Add Domain

Select Active Directory, LDAP, or Add Domain from the dropdown to add new domain credentials.

If this is the first domain you are defining, the edit panel will automatically open to enter the credentials.

Multiple domains can be entered for each authentication service and used to validate users, however users can only be validated against a single authentication service (Active Directory or LDAP).

Warning

Changing the authentication setting will immediately enforce this selection. Please be sure that you have either imported users for this service or properly configured the external enabled users group, permission groups, and security groups to sync at login for user access.

_images/nim5_auth_domain_new.png

Domain Options

The domain options allow for the configuration of server communication as well as preferences for synchronizing users, permission groups, and security groups.

Communication Settings

  • Domain - The FQDN, fully qualified domain name, in the format domain.com, for authentication.

    This domain will be used as the base DN for locating all records.

  • Servers - The host address of the Active Directory or LDAP server(s).

    Multiple servers may be entered separated by a space.

  • Port - The port number to access the authentication service.

    The default port is 389.

  • Protocol - The protocol to use when connecting to the authentication service.

    The default protocol is LDAP v3.

  • Use TLS - Select this checkbox to enforce TLS encrypted communication to the authentication service.

    When selecting this option please be sure that the specified authentication service is configured for TLS communication.

Administrative Account

  • Admin Account - The administrative account to use for read access to users and groups.

    The account should be entered in the format user@domain.com.

  • Admin Password - The password for the administrative account.

  • User RDN - (Only available for LDAP) The RDN string used to lookup a user record.

    Example: cn=<username>. The <username> variable will be replaced with the NIM username of the user attempting to login.

Synchronize Users on Login

  • Enabled User Group - Setting this value to YES will use the enabled users group to enable or disable users when they attempt to login.
    • Members of the group will be enabled, users who are not members will be disabled.

    • If this is a users first NIM login and the user is a member of the enabled users group defined as an objectClass groupOfNames in LDAP or group in Active Directory, NIM will automatically import a user based on the linked attribute settings.

    • If there are no licenses available, NIM will create the user but the user will be disabled.

    • Setting this value to NO will only check NIM if the user exists.

    • Users from will need to be imported using Users/Import function.

  • Enabled Users RDN - Enter the RDN string used for the location of the group of users who should be enabled in NIM.
    • The enabled users group is defined as an objectClass groupOfNames in LDAP or group in Active Directory.

    • Users in this group will be automatically enabled upon login if a user licenses is available.

    • The default value of ‘cn=enabledUsers,ou=nim’ will be used if the field is left blank.

    • The domain DN will be appended to this value.

  • User Attributes - The list of user attributes that will be read from the server.
    • Enter the attribute name you wish to add to the list and click the Add Attribute button.

  • Import User Icon - Select this checkbox to import user icons from the authentication service.
    • LDAP will import the user icon from the jpegPhoto attribute.

    • Active Directory will import the user icon from the thumbnailPhoto attribute.

Synchronize Permission Groups

  • Permission Groups - Setting this value to YES will update the user’s NIM permission groups to match externally assigned permission groups at user login.
    • External permission groups not synchronized with NIM will not be assigned.

  • Permission RDN - The RDN string used for the location of permission groups.
    • Permission groups are defined as an objectClass groupOfNames in LDAP or a group in Active Directory and must match NIM permission group names.

    • Permission groups can be imported to NIM from the Admin/Security - Permission Groups tab.

    • The default value of “ou=permission,ou=nim” will be used if the field is left blank.

    • The domain DN will be appended to this value.

Note

Users can only be assigned to a single NIM permission group. If multiple permission group memberships are found, no assignment will take place.

Synchronize Security Groups

  • Security Groups - Setting this value to YES will update the user’s NIM security groups to match externally assigned security groups at user login.
    • External security groups not synchronized with NIM will not be assigned.

  • Security RDN - Enter the RDN string used for the location of security groups.
    • Security groups are defined as an objectClass groupOfNames in LDAP or a group in Active Directory and must match NIM security group names.

    • Security groups can be imported to NIM from the Admin/Security - Security Groups tab.

    • The default value of “ou=security,ou=nim” will be used if the field is left blank.

    • The domain DN will be appended to this value.

Test Connection

  • Test Connection - Once valid domain connection information and an administrative user and password have been entered, click the Test Connection button to validate the settings. Any connection errors will appear below the button.

Save Domain

When you click the save settings button, NIM will validate the domain connection before storing new settings.

If a valid connection can not be established, your changes will not be saved and you will be prompted to update the required information.

If this is a new domain, and a connection can be established you will be presented with the following dialog asking if you would like to import users at this time.

_images/nim_auth_new_domain.png

Clicking the Import Users button will navigate you to the Admin/Users - User Import panel.

Import Users

Users can be imported directly from the authentication service from the Admin/Users - User Import panel.

To access the import panel, click the import button nim_button_import on the users grid, then select the tab with the corresponding service name, Active Directory or LDAP.

_images/nim5_auth_import_user.png

The first dropdown is a list of configured domains. Select the domain you wish to import users from and click the Search button.

_images/nim5_auth_import_user_search.png

The list displays users found in the authentication service and the attributes defined in the NIM domain options.

The first column denotes if a matching user is found in NIM.
  • Green - A user is found. Any imported information will be merged with the existing user

  • Orange - A user currently does not exist. A new user will be created with the current information.

The Link Attributes panel works identically to the panel used when configuring the domain options. Any values modified here will be updated for the domain and persistent for all login and imports.

To import users you can choose to Import All or Import Selected.
  • Import All - This will import all users found for the current domain

  • Import Selected - This will import the users selected in the list.
    • You can multi-select users by holding the shift key and clicking the users to select a range or use the Command or Ctrl key depending upon your OS to select non-sequential users.

To close the panel, click the ellipsis menu at the top right of the Import Users header and select the “Close Panel” option.

Import Permission Groups

Permission groups defined in the authentication service can be imported directly to NIM.

To import permission groups, navigate to the Admin > Security - Permission Groups tab and click the Import button.

_images/nim5_auth_pgroups.png

This will open the import panel which displays the current DN for the defined group or groupOfNames.

A column with the domain name as the header denotes if a matching group is found in NIM.
  • Green - A permission group is found.

  • Orange - A permission group does not exist. A new group will be created.

_images/nim5_auth_pgroups_sync.png

Clicking the IMPORT PERMISSION GROUPS button below will match permission groups in NIM with those in the defined authentication service, as well as create new groups for those not defined in NIM.

This action imports the group names, however the memberships are dynamically resolved at login.

If multiple domains are defined, NIM will import all groups defined across all domains within the authentication service.

Users can only be assigned to a single NIM permission group. If multiple permission group memberships are found, no assignment will take place.

Note

This will not remove NIM permission groups not found in the authentication service.

Import Security Groups

Security groups defined in the authentication service can be imported directly to NIM.

To import security groups, navigate to the Admin > Security - Security Groups tab and click the Import button.

_images/nim5_auth_sgroups.png

This will open the import panel which displays the current DN for the defined group or groupOfNames.

A column with the domain name as the header denotes if a matching group is found in NIM.
  • Green - A permission group is found.

  • Orange - A permission group does not exist. A new group will be created.

_images/nim5_auth_sgroups_sync.png

Clicking the IMPORT SECURITY GROUPS button below will match security groups in NIM with those in the defined authentication service, as well as create new groups for those not defined in NIM.

This action imports the group names, however the memberships are dynamically resolved at login.

If multiple domains are defined, NIM will import all groups defined across all domains within the authentication service.

Note

This will not remove NIM security groups not found in the authentication service.

nim-auth Command Line Tool

The NIM virtual machine contains a variety of shell scripts to simplify certain administrative tasks. The scripts can be found in:

/home/nim

The nim-auth script will allow users to switch authentication services from the NIM VM command line.

This script sets NIM’s authentication method which is one of 3 modes:

  • nim - uses NIM’s internal authentication (default)

  • ad - connects to an Active Directory server(s) for authentication

  • ldap - connects to a LDAP server(s), such as openLDAP, for authentication

To execute this script use the following syntax and pass the desired authentication method.

Usage:

sudo ./nim-auth nim
sudo ./nim-auth ldap
sudo ./nim-auth ad