Skip to main content

Using LDAP authentication

Notes:

  • LDAP groups are not supported. You must create a Striim user for each LDAP user that will log in to Striim.

  • The password provided when logging into Striim must match the Password property value for the corresponding LDAP user (see discussion of LDAP names below).

  • Passwords for Striim users created with the USING LDAP option (discussed below) are not stored in Striim.

Creating a property set

To use your OpenLDAP or Microsoft Active Directory server to authenticate Striim users, use the Tungsten console to create a property set containing the following properties.

property

default value

notes

PROVIDER_URL

ldap://<LDAP server IP address> or if using SSL ldaps://<LDAP server IP address>

SECURITY_AUTHENTICATION

 

Set to simple, the only currently supported value. See Enabling SSL for LDAP for instructions on securing authentication.

SECURITY_CREDENTIALS

Password for SECURITY_PRINCIPAL, if required (will be encrypted). This may be encrypted per RFC 2307.

SECURITY_PRINCIPAL

Specify the full DN for the service account or admin user account that will be used to look up users (see the documentation for your LDAP server).

USER_BASE_DN

Specify the base DN for the users to be authenticated  (see the documentation for your LDAP server), for example, ou=Users,dc=mydomain,dc=com.

USER_USERID

Striim combines the LDAP property specified here with the USER_BASE_DN to look up users in LDAP. For example, with the property set below, and the Striim login name jsmith, Striim would search for uid=jsmith,ou=Users,dc=mydomain,dc=com.

For example:

USE admin;
CREATE PROPERTYSET LDAP1 (
PROVIDER_URL:"ldap://203.0.113.45:389/",
SECURITY_AUTHENTICATION:simple,
SECURITY_PRINCIPAL: "cn=Manager,dc=mydomain,dc=com",
SECURITY_CREDENTIALS:secret,
USER_BASE_DN:"ou=Users,dc=mydomain,dc=com",
USER_USERID:uid);

To change properties in an existing property set, see ALTER PROPERTYSET.

Using LDAP with Striim-compatible LDAP names

If the values for the LDAP property specified by USER_USERID do not contain spaces, punctuation, or special characters, they may be used as the Striim login names. For example, with the above property set, an administrator could create a Striim user associated with an existing LDAP user on that server using this syntax:

CREATE USER <name> USING LDAP admin.LDAP1;

At login, Striim will search the LDAP directory for <USER_USERID>=<user name>,<USER_BASE_DN>. If the user is found, Striim will verify that the <USR_RDN> value matches the user name and that the Striim login password matches the LDAP userPassword value. For example:

CREATE USER jsmith USING LDAP admin.LDAP1;

Since USER_USERID:uid, Striim will search the LDAP directory for DN=jsmith,ou=Users,dc=mydomain,dc=com and verify that uid on the LDAP entry matches jsmith. If it does, Striim will verify that the login password matches the LDAP userPassword value and create a Striim user associated with that LDAP user. If the search has no results, or if the uid value is not jsmith, or if the passwords do not match, then Striim user creation will fail.

When a user is created with the USING LDAP option, DESCRIBE <user name> will return the name of the LDAP property set.

Using LDAP authentication with incompatible LDAP names

If the values for the LDAP property specified by USER_USERNAME  (by default, uid) contain spaces, punctuation, or special characters, they may not be used as the associated Striim login names. To work around this limitation, use the ALIAS FOR option.

For example, assume that in LDAP users look like this:

dn: cn=John Smith,ou=Users,dc=mydomain,dc=com
cn: John Smith
sn: Smith
objectClass: inetOrgPerson
userPassword: secret
uid: john.smith

In that case, you could set the USER_RDN and USER_USERID value to cn:

USE admin;
CREATE PROPERTYSET LDAP2 (
PROVIDER_URL:"ldap://203.0.113.45:389/",
SECURITY_AUTHENTICATION:simple,
SECURITY_PRINCIPAL: "cn=Manager,dc=mydomain,dc=com",
SECURITY_CREDENTIALS:secret,
USER_BASE_DN:"ou=Users,dc=mydomain,dc=com",
USER_USERID=cn;

Then the command to create a Striim user account for John Smith would be:

CREATE USER jsmith USING LDAP admin.LDAP2 ALIAS FOR 'John Smith';

Since in this case USER_USERID is cn, Striim will search the LDAP directory for cn=John Smith,ou=Users,dc=mydomain,dc=com.

Note

The user must log in to Striim with the alias, not their usual LDAP user name (in the example, jsmith, not John Smith or john.smith).

When a user is created with the ALIAS FOR  option, DESCRIBE <user> will return the LDAP user name.

Using a single property set for multiple users

The USER_BASE_DN property in the LDAP property set is used to build the DN when searching for a user. (The DN is a common key by which an LDAP object is looked up.) To create multiple users with unique DNs using the same property set, include the user names in the ALIAS FOR clauses. For example:

CREATE PROPERTYSET LDAPCOMMON (
  PROVIDER_URL:"ldap://203.0.113.48:10389/",
  SECURITY_AUTHENTICATION:simple,
  SECURITY_PRINCIPAL: "uid=admin,ou=system",
  SECURITY_CREDENTIALS:secret,
  USER_BASE_DN:"ou=Users,dc=striim,dc=com",
  USER_RDN:cn,
  USER_USERID:cn
);
CREATE USER rosemary USING LDAP admin.LDAPCOMMON ALIAS FOR "rosemary;ou=Users,ou=Managed,dc=ahis";
CREATE USER eugene USING LDAP admin.LDAPCOMMON ALIAS FOR "eugene;ou=Users,ou=Managed,dc=txaus";

Using the above commands, the two DNs created in LDAP would be:

DN=USER_USERID:rosemary,ou=Users,ou=Managed,dc=ahis,ou=Users,dc=striim,dc=com
DN=USER_USERID:eugene,ou=Users,ou=Managed,dc=txaus,ou=Users,dc=striim,dc=com

Using sAMAccountName

To use sAMAccountName, set USER_USERID:samaccountname.