Quick Links

Home > Services > Getting Services > Accounts and Passwords > Services Accounts > Customer Guide - LDAP Authentication Service

Customer Guide - LDAP Authentication Service

(for Application Owners)

Use

As an authentication service, the LDAP Service does not permit a logon. What it allows is a simple LDAP bind (LDAP over SSL preferred and highly recommended) to verify that the presented username and password are correct. Any application that would use the LDAP Service needs to be able to do one of the following:

Connect directly to services.fnal.gov
Lookup the services.fnal.gov entry in DNS, parse the results and attempt to connect to each server in order

The connection should attempt to bind with the credentials of the user that is being authenticated. If successful the bind and connection should be broken and the application continues to run. If necessary a service account can be created in the LDAP Service for the application to log in with and then authenticate the user.

LDAP groups are also available for more granular access control within the application. If group membership is to be used the attribute memberof should be checked for a particular user after a successful bind and the output parsed for the necessary information. One can also check the members attribute of the group that is used for the the application and see if the user being authenticated is a member of the group.

The service is typically referred to by the following URL - LDAPS://services.fnal.gov. This is LDAP over SSL and uses port 636. LDAP normally uses port 389 which is not encrypted and therefore not recommended. The LDAP servers use SSL certificates from DigiCert - a recognized certificate provider. The application generally requires a search base (the BaseDN) from which to begin the search. The BaseDN for users in this application is ou=FermiUsers,dc=services,dc=fnal,dc=gov .

If your application requires an successful bind before searching the directory a service account can be created for your application to use. Please open up a Service Desk ticket to get this account created. This request should include the name of the application, the responsible administrator(s) names and email addresses, and a brief description of what the application is for.

This service account can be tested in the following manner:

$ ldapsearch -x -LLL -H ldaps://services.fnal.gov -bdc=services,dc=fnal,dc=gov -D cd-srv-test@services.fnal.gov -W name=cd-srv-test dn

Enter LDAP Password:

After entering the service account password something similar to the following should be returned:

dn: CN=cd-srv-test,OU=FermiServiceAccounts,DC=services,DC=fnal,DC=gov

Using LDAPS rather than regular LDAP is highly recommended.

Configuration of the service account varies by application. Some will require the distinguished name (DN) of the service account. For example the DN for the cd-srv-test looks like this:

CN=cd-srv-test,OU=FermiServiceAccounts,DC=services,DC=fnal,DC=gov

Others will require the universal principal name (UPN) to be used. The UPN for cd-srv-test will look like this:

cd-srv-test@services.fnal.gov

The password for the service account will usually have to be entered as well. The password should be treated with respect and be known to as few people as possible.

Some clients (particularly Unix openLDAP clients) need be configured with LDAPS and the two servers listed separately, rather than with the front end services.fnal.gov address. These servers are

The following needs to be added to the /etc/openldap/ldap.conf file

     TLS_CACERTDIR /etc/openldap/cacerts

In the /etc/openldap/cacerts directory copies of the following certificates need to be stored:

- C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global CA
- C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority

Otherwise openLDAP will not setup a secure (LDAPS) connection.

Both of these keys can be exported from Firefox or IE. They are also available here:

End Users

The end user view will be dependent on the application. Some will require the user to enter a UPN name in the logon box. Others will only require the actual user name. The application administrators will need to let their users know exactly what format is required.

User Administration

All regular user accounts that exist in the Fermi Windows domain also exist in the LDAP Service. A default password would have to set for any new user before they could use any application that uses the LDAP Service for authentication. This password can be changed by the end user with the Self Service Password Reset tool or during normal business hours by contacting the Fermilab Service Desk.

Application administrators (those responsible for the external application using the LDAP Service for authentication) will have the ability to manipulate groups should they be necessary for the application to run. This will be done via a custom MMC application on the server LDAPMAINT1.

The creation of groups should be requested via the Service Desk.

Miscellaneous

The LDAP Service does not accept anonymous connections. If you wish to use the LDAP service please contact the Service Desk.
A Service Level Agreement (SLA) must be agreed upon between CSI and the application administrators before using LDAP Service
Applications that require a custom schema or extending the existing schema are not directly supported. If this is necessary for your application please open up a Service Desk ticket.