DX NetOps

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

Spectrum 10.4.0 - LDAP/AD Groups Membership

  • 1.  Spectrum 10.4.0 - LDAP/AD Groups Membership

    Posted Mar 08, 2021 11:14 AM
    Hello all,

    I am trying to find some information on how to configure LDAP authentication on Spectrum  (version 10.4.0) for LDAP/AD Groups Membership (group object containing users) authentication.

    I can configure to search inside an OU (containing a list users in the directory), validate and authenticate the users but when I try to configure it to check a Group, it gives me the error of "User unkown or wrong password" and I know for sure that user belongs to that Group and the path is correct (I tested using ldapsearch and got the users).

    Does this version, 10.4.0, support LDAP/AD Group Membership?
    If it does where can I find the documentation for it (I cant find it in its manual)?
    If not, is there a workaround?

    Thanks,
    Bruno


  • 2.  RE: Spectrum 10.4.0 - LDAP/AD Groups Membership

    Posted Mar 09, 2021 03:19 AM
    hi, first of all from my experince the ldap integration didn't work so good to us at this version...
    we upgraded to 10.4.3 and it works perfect + you can configure ldap groups.
    see this documention:
    https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/10-4-3/administrating/oneclick-administration/oneclick-administration-pages.html#concept.dita_99bd4cd8af497f4501d74d0457df4a5fc66ed4b4_LDAPUserGroupAuthentication
    Original Message


  • 3.  RE: Spectrum 10.4.0 - LDAP/AD Groups Membership

    Posted Mar 09, 2021 04:09 AM
    Hello Magen,

    Thanks for the tip. I have seen that link before, but like you sayed its for 10.4.3 and for now  we are not going to do upgrades (I do not known when to be done), I am stuck with 10.4.0 for the moment; Is there any way to make it work with groups in this version?

    Thanks
    Original Message


  • 4.  RE: Spectrum 10.4.0 - LDAP/AD Groups Membership

    Broadcom Employee
    Posted Mar 09, 2021 04:24 AM
    Hi Bruno,

    do you refer to this feature?

    https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/10-4-2/release-information/features-and-enhancements.html#concept.dita_74630ff8e83cd59592f994d76127c7a97e847997_LDAPUserGroupAuthentication

    It was introduced in 10.4.2.

    When you search your user in the LDAP using ldapsearch, does it return the memberOf attributes?

    Regards
    Original Message


  • 5.  RE: Spectrum 10.4.0 - LDAP/AD Groups Membership

    Posted Mar 09, 2021 04:55 AM
    Hello Jose,

    Thanks for the repply.

    "do you refer to this feature?
    https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/10-4-2/release-information/features-and-enhancements.html#concept.dita_74630ff8e83cd59592f994d76127c7a97e847997_LDAPUserGroupAuthentication"

    Yes its something like that, I need to point OneClick to the LDAP/AD to the group containing the users that can access Spectrum;

    "It was introduced in 10.4.2."
    So this means its not possible with the version I have (10.4.0) and the only solution is to upgrade to at least 10.4.2 ?

    "When you search your user in the LDAP using ldapsearch, does it return the memberOf attributes?"
    Yes, when I query the AD for listing the users, I can see the memberOf attribute, and when I query the group I can see the users in it.

    Thanks for the help.
    Original Message


  • 6.  RE: Spectrum 10.4.0 - LDAP/AD Groups Membership

    Broadcom Employee
    Posted Mar 09, 2021 05:25 AM
    Hi Bruno,

    LDAP authentication should work as well in 10.4.0. The only difference is that 10.4.2 included the ability to auto-provision users in Spectrum based on their group membership. In 10.4.0, you must guarantee the user already exist in Spectrum with the same name as it appears in LDAP.

    Regards
    Original Message


  • 7.  RE: Spectrum 10.4.0 - LDAP/AD Groups Membership

    Posted Mar 09, 2021 06:31 AM
    Hello Jose,

    "The only difference is that 10.4.2 included the ability to auto-provision users in Spectrum based on their group membership."

    Ok, I see. Its not what I am looking for.

    I have OneClick pointing to AD, to a specific directory in which there are the all users that can access Spectrum (and I have them configured in Spectrum) and they can access; Now, I have to change it to point to other directory, but it only has one Security Group (group_object) inside it. That group has the same members as in the previous directory.

    My question is, how do I configure OneClick to use that Group (group_object) and allow the "contained" Users to access Spectrum?
    (When I say "contained" users, is the users inside that group)

    Thanks for the help, much apreciated.
    Original Message


  • 8.  RE: Spectrum 10.4.0 - LDAP/AD Groups Membership

    Broadcom Employee
    Posted Mar 09, 2021 06:40 AM
    Hi Bruno,

    I think you have only to reconfigure the connection details in OneClick.

    If you LDAP structure (baseDN) has changed, just update it.

    User authentication process will search the user in the directory based on the configured criteria: User by search or User by pattern

    User by search is less impacted by LDAP structure changes because it searches from basedDN

    Make sense?
    Regards
    Original Message


  • 9.  RE: Spectrum 10.4.0 - LDAP/AD Groups Membership

    Posted Mar 09, 2021 08:05 AM
    Hello,

    Yes it does make sense and I have be doing that with no success. I always receive the error saying the user does not exist or the password is wrong (when I test a user).
    Maybe I am seeing this in the wrong way, checking the group object for the Users belonging to it, and the only option it to update to 10.4.2 and configure to check the user membership to each groups they belong.

    Thanks.
    Original Message


  • 10.  RE: Spectrum 10.4.0 - LDAP/AD Groups Membership

    Broadcom Employee
    Posted Mar 09, 2021 08:50 AM
    Hi Bruno,

    usually, users and groups are located in different branches in the LDAP, and they are related through membership attributes. I mean, group branch does not contain users.

    Example: 
    - Users under ou=People,dc=field,dc=mydomain,dc=com
    - Groups under ou=Groups,dc=field,dc=mydomain,dc=com

    Is this your case?

    You have to configure LDAP integration with a baseDN, that reduce the scope of the search and it can be the branch the users are located (ou=People,dc=field,dc=mydomain,dc=com) or suffix (dc=mydomain,dc=com). Remember to check Search subdirectories if this is the case.

    Later, ensure you are using the right attribute in the user entry to search the user by. Examples are uid={0} or sAMAccountName={0},where {0} is the username you introduce for authentication

    Regards
    Original Message


  • 11.  RE: Spectrum 10.4.0 - LDAP/AD Groups Membership

    Broadcom Employee
    Posted Mar 09, 2021 08:56 AM
    Spectrum will only try and find the user record in 10.4.0 based off the DN provided to search.
    There is no way in 10.4.0 to limit the users from a particular group.

    That is what the new functionality in 10.4.2 can do.  Not only can it create the user as admin or operator based on group, but can control what groups have access to Spectrum.
    Original Message


  • 12.  RE: Spectrum 10.4.0 - LDAP/AD Groups Membership

    Posted Mar 10, 2021 03:34 AM
    Hello,

    Yes, I do have something like that:

    - Users under ou=People,dc=field,dc=mydomain,dc=com (this is working in the LDAP integration)
    - Groups under ou=Groups,dc=field,dc=mydomain,dc=com (this is what I need to work in the new settings, inside this "Groups" I have one group_object in which it has reference to some users from the first branch)

    For my understanding from what you told me, it doesn't work. Only from version 10.4.2  we can have this feature.


    Thanks for the help Jeff and Jose.

    Original Message


  • 13.  RE: Spectrum 10.4.0 - LDAP/AD Groups Membership

    Broadcom Employee
    Posted Mar 10, 2021 03:48 AM
    Hi Bruno,

    that is correct. In summary,

    Up to Spectrum 10.4.2, LDAP integration consists on searching user objects under base DN. Once authenticated against LDAP, Spectrum maps with a user previously created in Spectrum. If user is not found the process returns an error

    From 10.4.2, LDAP integration searches the user the same way, authenticates it and maps it. Unlike previous versions, if user does not exist in Spectrum, the user is auto provisioned based on the group membership (memberOf attributes) of the user in LDAP and the mapping between LDAP groups and Spectrum Roles defined as part of the LDAP integration configuration.

    Regards
    Original Message


  • 14.  RE: Spectrum 10.4.0 - LDAP/AD Groups Membership

    Posted Mar 17, 2021 08:10 AM

    It seems like this is not particularly useful. The benefit of LDAP/AD/SAML is an externally and centrally managed authentication provider (with SAML you can also have MFA). Using LDAP to provision a user in a local database seems to fail to use LDAP/AD effectively. An ideal integration would be where Spectrum would query LDAP when a user attempts to login and determine their level of access at login time based on their group memberships. This is what most software that I deal with have been doing for years.

    Based on all these caveats from the documentation, I would not bother with LDAP groups

    https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/10-4-2/administrating/oneclick-administration/oneclick-administration-pages.html#concept.dita_99bd4cd8af497f4501d74d0457df4a5fc66ed4b4_LDAPUserGroupAuthentication

    • If any landscape is down when the user logs in, then you must manually create the user in the landscape when the landscape is available.
    • If the user is removed from the LDAP server, then the user must be manually removed from the 
      DX NetOps Spectrum
       user group in every landscape.
    • If the user is moved from one user group to another in the LDAP server, then you must do it manually in the 
      DX NetOps Spectrum
       groups. However, login of the user is not affected for the user even if the user is not moved in 
      DX NetOps Spectrum
      .
    • If the user is part of the multiple groups in the LDAP server and matched with the multiple groups configured in 
      DX NetOps Spectrum
      , then the first matching group is considered for the user authentication. In this case, the order in which the LDAP server returns the user group names is random. Therefore, matching is not always the same.

    Clyde
    Original Message


  • 15.  RE: Spectrum 10.4.0 - LDAP/AD Groups Membership

    Broadcom Employee
    Posted Mar 17, 2021 10:03 AM
    Clyde,

    All good points.  SAML2 is recommended just because it provides real SSO across Spectrum and NetOps vs using LDAP locally in each NetOps product.

    Spectrum and PM do support SAML2.  PM can dup 1 user configured in SsoConfig or use a ClonedUser attribute sent by SAML2 Assertion.
    I'm not sure if Spectrum SAML2 support handles creating any users at this time.

    As far as LDAP user creation, PM and I believe Spectrum use the order of the ldap groups in the config.  So you control which group to match first in the user.  Doesn't matter what order the LDAP provides the group, we check for the first ldapGroup in the user record and if it matches, we clone that user associated to the ldapGroup entry.  Otherwise, move onto next ldapGroup and search for that group.   So admins should put the ldapGroups in the order they wish to match against user records.  Put admin groups before user groups, etc.
    Original Message


  • 16.  RE: Spectrum 10.4.0 - LDAP/AD Groups Membership

    Posted Mar 17, 2021 10:13 AM
    Jeffrey,

    My point really is that we shouldn't be creating the users within Spectrum if we're using an external IDP. That would make it not really an external IDP.

    My preference would be to go with SAML2, but I see no indications in the Spectrum documentation that it would handle group attributes returned from the SAML provider. It is also not clear if it is follows the same model as LDAP and creates the user in the Spectrum database.

    Clyde
    Original Message


  • 17.  RE: Spectrum 10.4.0 - LDAP/AD Groups Membership

    Broadcom Employee
    Posted Mar 17, 2021 10:28 AM

    Yeh, right now NetOps products use SAML2 only for authentication. 
    Authorization is controlled by the user account existing in the NetOps product.

    From what I can tell from a quick scan of Spectrum code, it doesn't have any clone ability.  Appears to require the user be created in Spectrum first for user to authorized to login.


    Please reach out to your account rep to pass along new feature requests to our product management.  That is the new ER process.


    Original Message


  • 18.  RE: Spectrum 10.4.0 - LDAP/AD Groups Membership

    Broadcom Employee
    Posted Mar 17, 2021 11:01 AM
    Hi Clyde,

    That a product relies authentication in an external IdP does not mean a product does not create their internal user representation. Most of the products in the market works like this.

    Before 10.4.2, it like you mention and the user in Spectrum must be created even you rely authentication in an external IdP. With 10.4.2, that step is automatic and Spectrum creates transparently for you.

    One benefit os this is that Spectrum will continue authentication your users even if your IdP is down.

    Based on the group membership of the user in LDAP, the user is linked to a Spectrum role via the group mapping (LDAP group -> Spectrum group -> Spectrum Role -> Spectrum permissions)

    Regards



    Original Message


  • 19.  RE: Spectrum 10.4.0 - LDAP/AD Groups Membership

    Broadcom Employee
    Posted Mar 17, 2021 11:38 AM
    Hi Clyde,

    let me remark my comments above applies to LDAP/AD integration.

    Regards
    Original Message