Striim 3.10.3 documentation

Using LDAP authentication

Notes:

  • LDAP groups are not supported. You must create a Striim user for each LDAP user that will log in to Striim.

  • The password provided when logging into Striim must match the Password property value for the corresponding LDAP user (see discussion of LDAP names below).

  • Passwords for Striim users created with the USING LDAP option (discussed below) are not stored in Striim.

Creating a property set

To use your OpenLDAP or Microsoft Active Directory server to authenticate Striim users, use the Tungsten console to create a property set containing the following properties.

property

default value

notes

PROVIDER_URL

ldap://<LDAP server IP address> or if using SSL ldaps://<LDAP server IP address>

SECURITY_AUTHENTICATION

 

Set to simple, the only currently supported value. See Enabling SSL for LDAP for instructions on securing authentication.

SECURITY_CREDENTIALS

Password for SECURITY_PRINCIPAL, if required (will be encrypted). This may be encrypted per RFC 2307.

SECURITY_PRINCIPAL

Specify the full DN for the service account or admin user account that will be used to look up users (see the documentation for your LDAP server).

USER_BASE_DN

Specify the base DN for the users to be authenticated  (see the documentation for your LDAP server), for example, ou=Users,dc=mydomain,dc=com.

USER_RDN

 

Specify the Striim combines the LDAP property specified here with the USER_BASE_DN to create relative distinguished names (RDNs) to authenticate users. For example, with the property set below, the RDN would be for the Striim login name jsmith would be uid=jsmith,ou=Users,dc=mydomain,dc=com.

USER_USERID

Striim combines the LDAP property specified here with the USER_BASE_DN to look up users in LDAP. For example, with the property set below, and the Striim login name jsmith, Striim would search for uid=jsmith,ou=Users,dc=mydomain,dc=com.

For example:

USE admin;
CREATE PROPERTYSET LDAP1 (
PROVIDER_URL:"ldap://203.0.113.45:389/",
SECURITY_AUTHENTICATION:simple,
SECURITY_PRINCIPAL: "cn=Manager,dc=mydomain,dc=com",
SECURITY_CREDENTIALS:secret,
USER_BASE_DN:"ou=Users,dc=mydomain,dc=com",
USER_RDN:uid,
USER_USERID:uid);

Using LDAP with Striim-compatible LDAP names

If the values for the LDAP property specified by USER_RDN do not contain spaces, punctuation, or special characters, they may be used as the Striim login names. For example, with the above property set, an administrator could create a Striim user associated with an existing LDAP user on that server using this syntax:

CREATE USER <name> USING LDAP admin.LDAP1;

At login, Striim will search the LDAP directory for <USER_USERID>=<user name>,<USER_BASE_DN>. If the user is found, Striim will verify that the <USR_RDN> value matches the user name and that the Striim login password matches the LDAP userPassword value. For example:

CREATE USER jsmith USING LDAP admin.LDAP1;

Since USER_USERID is uid, Striim will search the LDAP directory for uid=jsmith,ou=Users,dc=mydomain,dc=com. Since USER_RDN is also uid, Striim will verify that uid=jsmith. If it does, Striim will verify that the login password matches the LDAP userPassword value and create a Striim user associated with that LDAP user. If the search has no results, the uid value is not jsmith, or the passwords do not match, Striim user creation will fail.

When a user is created with the USING LDAP option, DESCRIBE <user> will return the name of the LDAP property set.

Using LDAP authentication with incompatible LDAP names

If the values for the LDAP property specified by USER_RDN  (by default, uid) contain spaces, punctuation, or special characters, they may not be used as the associated Striim login names. To work around this limitation, use the ALIAS FOR option.

For example, assume that in LDAP users look like this:

dn: cn=John Smith,ou=Users,dc=mydomain,dc=com
cn: John Smith
sn: Smith
objectClass: inetOrgPerson
userPassword: secret
uid: john.smith

In that case, you could set the USER_RDN and USER_USERID value to cn:

USE admin;
CREATE PROPERTYSET LDAP2 (
PROVIDER_URL:"ldap://203.0.113.45:389/",
SECURITY_AUTHENTICATION:simple,
SECURITY_PRINCIPAL: "cn=Manager,dc=mydomain,dc=com",
SECURITY_CREDENTIALS:secret,
USER_BASE_DN:"ou=Users,dc=mydomain,dc=com",USER_RDN=cn,
USER_USERID=cn;

Then the command to create a Striim user account for John Smith would be:

CREATE USER jsmith USING LDAP admin.LDAP2 ALIAS FOR 'John Smith';

Since in this case USER_USERID is cn, Striim will search the LDAP directory for cn=John Smith,ou=Users,dc=mydomain,dc=com.

Note

The user must log in to Striim with the alias, not their usual LDAP user name (in the example, jsmith, not John Smith or john.smith).

When a user is created with the ALIAS FOR  option, DESCRIBE <user> will return the LDAP user name.