Striim 3.9.7 documentation

Using LDAP authentication

To use your OpenLDAP or Microsoft Active Directory server to authenticate users, use the Tungsten console to create a property set containing the following server properties:

property

default value

notes

PROVIDER_URL

ldap://<LDAP server IP address> or if using SSL ldaps://<LDAP server IP address>

SECURITY_AUTHENTICATION

 

Set to simple, the only currently supported value. See Enabling SSL for LDAP for instructions on securing authentication.

SECURITY_CREDENTIALS

Password for SECURITY_PRINCIPAL, if required (will be encrypted). This may be encrypted per RFC 2307.

SECURITY_PRINCIPAL

Specify the LDAP user principal name (see the documentation for your LDAP server).

USER_BASE_DN

Specify the base DN for the users to be authenticated  (see the documentation for your LDAP server), for example, ou=Users,dc=mydomain,dc=com.

USER_RDN

 

Striim combines the LDAP property specified here with the USER_BASE_DN to create relative distinguished names (RDNs) to authenticate users. For example, with the property set below, the RDN would be for the Striim login name jsmith would be uid=jsmith,ou=Users,dc=mydomain,dc=com.

USER_USERID

Striim combines the LDAP property specified here with the USER_BASE_DN to look up users in LDAP. For example, with the property set below, and the Striim login name jsmith, Striim would search for uid=jsmith,ou=Users,dc=mydomain,dc=com.

For example:

USE admin;
CREATE PROPERTYSET LDAP1 (
PROVIDER_URL:"ldap://203.0.113.45:389/",
SECURITY_AUTHENTICATION:simple,
SECURITY_PRINCIPAL: "cn=Manager,dc=mydomain,dc=com",
SECURITY_CREDENTIALS:secret,
USER_BASE_DN:"ou=Users,dc=mydomain,dc=com",
USER_RDN:uid,
USER_USERID:uid);

Using LDAP with Striim-compatible LDAP names

If the values for the LDAP property specified by USER_RDN do not contain spaces, punctuation, or special characters, they may be used as the Striim login names. For example, with the above property set, an administrator could create a Striim user associated with an existing LDAP user on that server using this syntax:

CREATE USER <name> USING LDAP admin.LDAP1;

At login, Striim will search the LDAP directory for <USER_USERID>=<user name>,<USER_BASE_DN>. If the user is found, Striim will verify that the <USR_RDN> value matches the user name and that the Striim login password matches the LDAP userPassword value. For example:

CREATE USER jsmith USING LDAP admin.LDAP1;

Since USER_USERID is uid, Striim will search the LDAP directory for uid=jsmith,ou=Users,dc=mydomain,dc=com. Since USER_RDN is also uid, Striim will verify that uid=jsmith. If it does, Striim will verify that the login password matches the LDAP userPassword value and create a Striim user associated with that LDAP user. If the search has no results, the uid value is not jsmith, or the passwords do not match, Striim user creation will fail.

When a user is created with the USING LDAP option, DESCRIBE <user> will return the name of the LDAP property set.

Using LDAP authentication with incompatible LDAP names

If the values for the LDAP property specified by USER_RDN  (by default, uid) contain spaces, punctuation, or special characters, they may not be used as the associated Striim login names. To work around this limitation, use the ALIAS FOR option.

For example, assume that in LDAP users look like this:

dn: cn=John Smith,ou=Users,dc=mydomain,dc=com
cn: John Smith
sn: Smith
objectClass: inetOrgPerson
userPassword: secret
uid: john.smith

In that case, you could set the USER_RDN and USER_USERID value to cn:

USE admin;
CREATE PROPERTYSET LDAP2 (
PROVIDER_URL:"ldap://203.0.113.45:389/",
SECURITY_AUTHENTICATION:simple,
SECURITY_PRINCIPAL: "cn=Manager,dc=mydomain,dc=com",
SECURITY_CREDENTIALS:secret,
USER_BASE_DN:"ou=Users,dc=mydomain,dc=com",USER_RDN=cn,
USER_USERID=cn;

Then the command to create a Striim user account for John Smith would be:

CREATE USER jsmith USING LDAP admin.LDAP2 ALIAS FOR 'John Smith';

Since in this case USER_USERID is cn, Striim will search the LDAP directory for cn=John Smith,ou=Users,dc=mydomain,dc=com.

Note

The user must log in to Striim with the alias, not their usual LDAP user name (in the example, jsmith, not John Smith or john.smith).

When a user is created with the ALIAS FOR  option, DESCRIBE <user> will return the LDAP user name.