Solutions

Setting up an LDAP realm in Reporter 9.X.

Solutions ID:    KB3353
Version:    12.0
Status:    Published
Published date:    09/02/2009
Updated:    10/17/2013
 

Problem Description

 What information do I need to collect in order to have a successful deployment of an LDAP Realm in Reporter 9.x?

What are the suggested best practices for using the LDAP protocol to connect to your databases in Reporter?

Resolution

To first setup a LDAP realm in Reporter, you will need to find this information from your LDAP directory administrator:

Prerequisite information:

  • Type of LDAP directory:

Novell e Directory

Microsoft Active Directory.

3rd Party LDAP Directory.

  • The IP address of the LDAP server, and what port you'll connect to it on.  (389 or 636)
  • Whether or not you need to authenticate to search for users and groups.
    • If cannot connect to the LDAP server anonymously, you'll need the Fully Qualified Distinguished Name (FQDN) of the user that can ,and it's password.
    • Here's an example of the syntax: cn=lastname\, firstname,cn=users,dc=internal,dc=mytree,dc=com

 

  • The attributes needed to search the tree for users, and groups. 

For Microsoft Active Directory, the default is:

User Naming Attribute: sAMAccountName

Group Naming Attribute: groupclass

Group class: class

NOTE: For more information on what these attributes mean, see https://kb.bluecoat.com/index?page=content&id=KB3560

  • The Group and User base DNs.  
    • Here's an example of the syntax needed for users :   cn=users,dc=internal,dc=mytreename,dc=com
    • Here's an example of the syntax needed for groups:  cn=groups,dc=internal,dc=mytreename,dc=com
    • NOTE: Some adminstrators may have groups and users in the same context.

Once you have this information, enter it in to the LDAP realm configuration wizard, and then use the test button to ensure it works.  You can find this LDAP realm wizard, by clicking on the Administration tab >  General settings, External servers and LDAP/Directory. 

Best practice: If you have multiple group and user base DNS all over your tree that are spread over multiple partitions and servers,  Bluecoat suggest you configure more than one LDAP realm and point them to each base DN.  At the time of writting this Knowledge base article,  Reporter 9.1.x versions did not support searching through multiple LDAP partitions and servers.

Configuring roles to use with LDAP: 

Once you have your LDAP realm successfully configured, it is now time to connect the LDAP groups  to roles in Reporter.

  • Configuring a role:

In the administration section of Reporter, click on "Access Control" and then Roles.

Once here, configure a role for a database with the filters you desire.  To facilitate greater granularity, you can also configure this same role to only show certain fields in your database.  Roles cannot directly control which report you can run, but they can control, down to the field, what data it will see.  So, while all reports will still run, the restricted data in that report will not show.

  • Configuring a group:

The next step, is to troll the LDAP tree for a role, and connect to the role you configured above. The option, right below roles, is called Ldap Groups- click on this.  Here you can conduct LIVE searches of your LDAP tree for groups and linke them  to the Roles you created above.

TIP: You can type in any search string to find the groupname you desire to connect to. Remember though, the list you see coming back to you is from your LDAP tree. 

TIP: We do not support nest groups in any LDAP tree with versions fo Reporter  9.1.x. For information on how to configure this feature, in version 9.2.x and later, see KB3826

TIP: If you are seeing a empty list here, the most probable cause is that the user you were logging in as does not have rights to pull a group list, or the context you provided the Group base DN is wrong.

Once the LDAP group is connected to a Role in Reporter, all users in in that group will have the same access given to that role. 

NOTE1: Links to other LDAP articles:

 Occasionaly you may choose a nested group, without realizing it, and see this message when you log in:

" in order to view reports in Reporter, your system administrator must set up a database for you to have access to."

Please see this KB article for troubleshooting steps on how to solve this.

For a list of the LDAP error codes you may see in the journal see FAQ813

For an explanation on how you can use IWA methods on your SG, to authenticate, while you use LDAP on your Reporter, see KB3801

For more details on how to your base DN on Active Director ( AD) , see KB4548

For details on how to use the search user, and what rights it needs in AD, see KB4407

For details on how LDAP nested groups work in Reporter, see KB3826

For details on what the LDAP atributes mean, see KB3560

 

 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question