LDAP Login Settings

LDAP Settings enable login from an existing domain controller using the LDAP protocol.

To enable LDAP logins, under the LDAP Login Settings section, toggle on Allow LDAP Logins.

Once switched on, you need to define the following credentials for the Domain controller:

1. LDAP Gateway - select the gateway to use for the LDAP connection

2. The host domain controller IP or DNS (required) - Enter the IP address or host of the Domain Controller of Microsoft Active Directory (AD) which verifies the credentials. If you set Use SSL for connection to Verified, this field must contain an FQDN.
   The setting for the host domain controller IP address or DNS must be unique when working with more than one LDAP.

3. Authentication type (required, default: Password) - Select the LDAP Authentication type.

   • Password – configure authentication using a password. See Configuring Password Authentication.
   • Smartcard – configure authentication using a Smartcard. See Configuring Smartcard Authentication.

Configuring Password Authentication

To configure authentication using a password.

1. In Authentication Type, choose Password .
2. Configure all settings in Additional LDAP Settings.

Configuring Smartcard Authentication

When you select Smartcard for LDAP Authentication, user identification is done by a smartcard using CAC PIV cards (Common Card Access Personal Identity Verification). When the user inserts their card, the browser prompts the user to enter their PIN. The browser then prompts the user to select a certificate for authentication.
To configure authentication using a Smartcard.

1. In Authentication Type, choose Smartcard .

Configure the following:

1. Chain of Trust CA Files (Required) – Click + to upload files to verify the Smartcard digital signature. Chain of Trust CA files must be in PEM format. You can upload both concatenated PEM files or a number of single PEM files.
   Click + to add files, or X to remove.

2. Enable OCSP (optional) - Enable OCSP to check a list of revoked certificates from the OCSP server that is part of the SSLv3 headers of the root/intermediate CA that signed the client certificate. Axonius contacts these URLs on every login attempt to get the list of revoked certificates, and caches every response for one day.
3. Enforce client certificate validation (optional) – Select this option to only allow users to access your system with a smartcard. A user will not be able to access Axonius without a smartcard.
4. AD Username and AD Password (required) – Enter the user name and password as used in AD. These connect to the domain controller and make sure that every user with a valid certificate is also signed into the domain and then assigns the default roles that should be assigned to a new LDAP user.
5. Use SAN to compare instead of DN - Select to compare the SAN (Subject alternative name) of the certificate in the CAC instead of the DN (Distinguished name).
6. Attribute to compare - It is possible to select to which LDAP attribute setting the Smartcard DN should be compared. The default value is 'distinguishedName'.
7. Regex to match on DN from Smartcard (optional, default empty) - Enter a Regex to match in the DN.
8. Regex to replace on matched input (optional, default empty) - Enter a string which will replace the matched groups in the smartcard DN which replaces the matched groups. Note that the actual replacement is made using the python 're.sub' function.
9. LDAP attribute to compare for user hint (Enables user hinting automatically) - Set this option to enable a username hint in the logon screen. The value of this attribute is usually 'altSecurityIdentities'. When you use this value, you should generally enter 'UserPrincipalName' in the value of the Attribute to compare field.
10. Configure all settings in Additional LDAP Settings.
11. Click Save at the bottom of the page and then refresh your system.
12. The system now requests your client certificate and the smartcard PIN.
13. Once you click OK, the Axonius login opens to 'Login with Smartcard'.
14. Click 'Login with Smartcard' and enter the domain to authenticate.

Every user who logs onto your system can now log in with smartcard authentication.

Additional LDAP Settings

For all LDAP options, configure these settings.

1. Group the user must be part of (optional, default: empty) - The name of the group or a nested group in which the logged on user must be part of.

2. Match group name by DN (required, default: False) - Choose whether to authenticate user logins by the user exact group Distinguished Name (DN).

   • If enabled, the user group Distinguished Name (DN) must match (case sensitive) the value defined in the Group the user must be part of field.
   • If disabled, the user group/nested group value defined in the Group the user must be part of field.

3. Connect to Global Catalog - Select this option to connect to the DC in Global Catalog (GC) mode, on the AD GC port (3268), instead of connecting to a regular active directory DC on the regular LDAP port.

4. Default domain to present to the user** (optional) - The default domain for which the user is logged in (for example, if the value is "CORPNET" and the user will be logging as "user", Axonius will try to log into the DC with "CORPNET\user").

5. Domain name to display to the user - The default name of the domain that will be displayed to the user for login options.

6. LDAP group hierarchy cache refresh rate (hours) (required, default: 720) - Configure the login cache refresh rate and when changes will be reflected in Axonius.

   • Changes in the group hierarchy (groups added/remove/moved) will be reflected in Axonius only in the next login cache recalculation. Added/remove users from/to specific groups will be reflected in Axonius immediately and is independent on the next login cache recalculation.
   • A low number means that login may be slower, as the login cache will be calculated more frequently, but it will be more accurate.
   • A high number means that login may be faster, as the login cache will be calculated less frequently, but it may be less accurate.
   • The default value for this setting is 720 hours (one month).

7. Use SSL for connection (optional) - The type of communication. Can be either:

   1. Unencrypted
   2. Unverified (Encrypted but unverified)
   3. Verified (Encrypted and verified)

6. CA file (optional) - The host will be verified using this CA. Relevant when the connection is verified.
7. Certificate file and Private key file (Optional) - SSL configuration for creating a remote connection.

LDAP - User Assignment Settings

1. Default role for new LDAP user only (if no matching assignment rule found) (Required, default: No Access) - The default role that will be associated with new LDAP users. For details on managing user roles in Axonius, see Manage Roles.

2. Default data scope for new LDAP user only (if no matching assignment rule found) (optional, Default: Global (Unrestricted)) - Select the Data Scope to assign to new users. For details about Data Scopes, see Managing Data Scopes.

3. Evaluate role assignment on (required, default: New users only) - Select whether to evaluate role assignment for new users or for new and existing users.

   • If New users only is selected, role assignment will be evaluated only for new users. Roles for existing Axonius will not be reevaluated and will remain as is.
   • If New and existing users is selected, role assignment is evaluated for new users and also for existing users on every login.

4. Role Assignment Rules (users will be assigned to the first matching role) (optional, default: empty) - Configure a ranked list of rules to determine the user's role.

   • Each role consists of:
     • Category:
       • Email address - user email address, e.g., example@example.com
       • Email domain - an email domain, e.g., example.com
       • Group - a user group Common Name (CN). If the Match group name by DN checkbox is enabled, the group will refer to the user group Distinguished Name (DN). For example, for the LDAP group name: "CN=test-group-0,CN=Test Groups,DC=TestDomain,DC=test", the field value should be "test-group-0".
     • Value - case sensitive exact match.
     • Role - to be assigned.
   • To reorder the rules, hover over the rule to use the drag and drop functionality.
   • When a user logs in to Axonius with LDAP, the user's assigned role is determined based on the Role Assignment Rules Logic.

   

5. Prioritize Logon Name (optional) - You can select the username to prioritize when users log in with LDAP.

The following options are available:

• Prioritize CN over sAMAccountName - This is the default option. If there is a CN username, it will be used. If not, the sAMAccountName username will be used.
• Prioritize sAMAccoutnName over CN - If there is a sAMAccountName username, it will be used. If not, the CN username will be used.
• Use Only CN - If there is a CN username it will be used. If not, the login will fail.
• Use Only sAMAccountName - If there is a sAMAccountName username, it will be used. If not, the login will fail.

Add New LDAP

Click Add new LDAP. An additional LDAP Configuration section opens.
Note that adding an additional LDAP is not applicable to smartcards, and may only be used when logging in using a password.

1. Choose Password in Authentication Type.
2. Configure all settings in Additional LDAP Settings.
3. Make sure that the setting for the host domain controller IP address or DNS is unique.

Now when a user logs in with LDAP, the domain name is displayed. In cases where the Domain name to display to the user is the same for both LDAPs, the second IP address is displayed. When the user logs in, they must select the correct domain.

See Using Identity Providers for general information about using identity providers.
For information about SAML-based login settings, see SAML-Based Login Settings.