Login: Support | Partner    
 
Home » Learning Center » GSM: Central Authentication 

GSM: Central Authentication

The Greenbone Security Manager (GSM) can be connected to existing directory services for central authentication. This allows users existing in this directory service to connect to the GSM and use their credentials configured through the directory service to log in, provided a user on the GSM has been created for them as well.

The GSM will use the directory service only for authentication on a per user basis. This means that users who should be able to authenticate through the directory service have to exist on the GSM as well and have to be configured for authentication through the directory service as well.

The functionality described in this document is available in Greenbone OS 2.1 or later.

Configuration of the Greenbone Security Manager

top^

When not configured otherwise, the Greenbone Security Manager uses a custom independent authentication system. Users with the role "Admin" are able to create, modify and delete other users.

To use an LDAP directory service through the GSM, the following steps must be taken.

  1. When using a directory service for central authentication it becomes necessary that user passwords are transmitted between the GSM and the LDAP directory service and thus a secure communication is required. For this, the GSM uses either the StartTLS operation in the LDAP protocol or the LDAP over SSL/TLS (LDAPS) protocol. In order to verify the certificate used by the directory service when a secure communication is established, the GSM needs to know about the certificate authority (CA) which issued this certificate. To make this CA known to the GSM and to set it as trusted, you have to download the certificate of the CA into the GSM. This is done through the CLI administrative interface (see also the manual "GSM Command Line Interface: Administrator Guide"). Use ssh to connect to the administrative interface (i.e. do not use the console directly as you will not be able to use the "paste" method there):

    gsm> ldapcacertdownload
    Please paste the BASE64 Certificate into the CLI, END with CTRL-D

    The examples below show where the certificate of the CA can be found and how it needs to be prepared.

    The certificate is checked immediately for validity. If the certificate is generally valid, the result will be an "OK" message. Self signed certificates are accepted but will result in a notice.

    If the certificate submitted is empty (i.e. CTRL-D was pressed immediately), the installed certificate is removed, returning the GSM to the default behaviour regarding authentication.

  2. The address of the directory service can be set through the web interface of the Greenbone Security Manager by navigating to Administration->Users (this option is only available to users with the role "Admin"):

    Enable: Activate the use of this LDAP directory service by selecting "Enable".

    LDAP Host: The address of the directory service.
    Please note: This must be the address which is used in the certificate of the directory service.
    Make sure that the DNS server you configured your GSM to use is able to resolve this host name.
    If you do not specify a port number, the GSM will default to port 389. If your directory service is running on another port, you have to specify the port number as shown in the example pictured above. For example Active Directory LDAP servers usually listen on port 636 for LDAP over SSL/TLS (LDAPS) communication.

    Auth. DN: The DN which is used by your directory service for authentication. You can place the login name using "%s". If you are using a regular LDAP service, this will most likely be similar to "uid=%s,cn=users,o=center,d=org" or "uid=%s@domain.tld,cn=users,o=center,d=org". If you are using Active Directory LDAP, it will be similar to "%s@domain.tld" or "domain\%s".

  3. Please note: A reboot of the GSM is necessary to activate both changes.

  4. Once you have enabled LDAP authentication, you will notice a new option Allow LDAP-Authentication only in the New User section which will be checked by default. Leave it checked if the new user should be able to login with the credentials configured in the directory service. For existing users you may enable this option through the Edit User dialog.

    Please note that the user has to exist with this name in your directory service prior to use with the GSM. The GSM will not add, modify or remove users in your directory service. It will also not grant any user from your directory service automatically access to the GSM. You have to authorize every user separately by adding a user with the same name to the GSM with Allow LDAP-Authentication only checked as described above.

    Also note that a locally configured user (i.e. a user which is not enabled for LDAP authentication) "Smith" on the GSM takes precedence over a user "Smith" in the connected directory service.

Preparing the directory service

top^

Depending on the current configuration of your directory service, you might need to take additional steps to prepare it for use by the GSM.

Active Directory LDAP

The GSM makes encryption mandatory when communicating with the directory service. If your Active Directory LDAP service does not yet use LDAPS, you may find the following article helpful: LDAP over SSL (LDAPS) Certificate.

Getting the CA certificate

top^

As described above, you need the certificate of the certificate authority (CA) which issued the certificate for your directory service to enable the GSM to access the directory service.

Note the CA certificate may be available from the machine your directory service is running, from a different machine or may reside on another network, depending entirely on your IT infrastructure. When in doubt, please contact your certificate authority and ask for the certificate.

The file you are looking for will contain the line

-----BEGIN CERTIFICATE-----
followed by Base64 encoded data.

Univention Corporate Server (UCS)

The CA certificate for the Univention Corporate Server is usually found in the following location:

/etc/univention/ssl/ucsCA/CAcert.pem

Use the contents of this file for the GSM command "ldapcacertdownload" as described above.

Active Directory LDAP

In a Microsoft Windows based environment — for example when using Active Directory LDAP — CA certificates can be exported using the following procedure which must be performed from a desktop or server that has access to the Certification Authority console.

  1. Open the Certification Authority console from any domain-joined computer or server.
  2. Right-click the name of the certification authority and then select Properties.
  3. In the CA certificates dialog box, choose the General tab, and then select the certificate for the certification authority you want to access.
  4. Choose View Certificate.
  5. In the Certificate dialog box, choose the Certification Authority tab. Select the name of the root certification authority and then choose View Certificate.
  6. In the Certificate dialog box, choose the Details tab and then choose Copy to File.
  7. The Certificate Export Wizard appears. Choose Next.
  8. On the Export File Format page, select the Base-64 encoded X.509 (.CER) option.
  9. Choose Next.
  10. In the File to Export box, choose the path and name for the certificate, and then choose Next.
  11. Choose Finish. The .cer file will be created in the location that you specified in the previous step.
  12. A dialog box appears to inform you that the export was successful. Choose OK to finish.

Use the contents of this file for the GSM command "ldapcacertdownload" as described above.

The procedure described above was adapted from a guide provided by the Microsoft System Center.