Cnfiguring and Integrating LDAP The Basics f LDAP 3 LDAP Key Terms and Cmpnents 3 Basic LDAP Syntax 4 The LDAP User Experience Mnitr 6 This dcument includes infrmatin abut LDAP and its rle with SlarWinds SAM.
2 Cnfiguring and Integrating LDAP Cpyright 1995-2012 SlarWinds. All rights reserved wrldwide. N part f this dcument may be reprduced by any means nr mdified, decmpiled, disassembled, published r distributed, in whle r in part, r translated t any electrnic medium r ther means withut the written cnsent f SlarWinds. All right, title and interest in and t the sftware and dcumentatin are and shall remain the exclusive prperty f SlarWinds and its licensrs. SlarWinds Orin, SlarWinds Cirrus, and SlarWinds Tlset are trademarks f SlarWinds and SlarWinds.net and the SlarWinds lg are registered trademarks f SlarWinds All ther trademarks cntained in this dcument and in the Sftware are the prperty f their respective wners. SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Micrsft and Windws 2000 are either registered trademarks r trademarks f Micrsft Crpratin in the United States and/r ther cuntries. Graph Layut Tlkit and Graph Editr Tlkit 1992-2001 Tm Sawyer Sftware, Oakland, Califrnia. All Rights Reserved. Prtins Cpyright CmpnentOne, LLC 1991-2002. All Rights Reserved. Dcument Revised 6/14/2012- DJR
Cnfiguring and Integrating LDAP 3 The Basics f LDAP Lightweight Directry Access Prtcl (LDAP) is a prtcl fr accessing directry servers. In ther wrds, LDAP is a directry, nt a database. There are n rws r tables in LDAP s directry and there are n relatinal links. The result is a simple yet structured directry design that is easy t navigate. Every bject in LDAP can cntain ne r mre sub-bjects, much like the flder and sub-flder relatinship used in Windws perating systems. LDAP runs directly ver TCP prt 389 by default. It is used t stre infrmatin abut users, including the netwrk privileges assigned t each user. Revking r changing privileges can be dne frm ne entry in the LDAP directry, rather than at many machines acrss the netwrk. LDAP als supprts SSL and TLS fr security. LDAP Key Terms and Cmpnents Fllwing is a list f key terms and cmpnents alng with their respective definitins. Distinguished Names Distinguished Names (DNs) are a fundamental part f LDAP. LDAP uses path syntax t identify bjects in the stre. Typical Windws path syntax: C:\Files\Pictures\Pic1.jpg DNs wrk in reverse rder, meaning the mst specific nde is n the left f the path syntax. Typical example f a DN: CN=SmeUser,OU=SmeCntainer,DC=SmeDmain,DC=cm This DN is cmpsed f fur Relative Distinguished Name (RDN) parts: CN=SmeUser OU=SmeCntainer DC=SmeDmain DC=cm Each RDN is a child f the bject whse RDN is t its right. The bject deepest in the tree in this DN example is the bject, CN=SmeUser. Each RDN is cmpsed f tw parts: the name f the attribute that prvides the primary name f the bject, and the value f that attribute. In this example, CN, which stands fr Cmmn Name, is the name f the attribute that prvides the primary name fr bjects f its class. SmeUser is the value f this attribute. There are als RDN attributes fr OU (Organizatinal Unit) and DC (Dmain Cmpnent). Like any file system, the name fr an bject in an LDAP cntainer must be unique. Thus, CN=Kate uniquely identifies this bject within its cntainer, OU=CustmerSupprt. As a result, the entire DN uniquely identifies this particular bject in the entire directry tree.
4 Cnfiguring and Integrating LDAP Search Operatin The mst imprtant peratin in LDAP is the ability t search. This is hw bjects are fund in the directry tree and hw values are read. The syntax is smewhat different frm mre familiar query syntaxes such as SQL. Hwever, LDAP is als much simpler than SQL with SQL's jins, sub-queries, rdering, and gruping. An LDAP query is cmpsed f fur basic parts: a search rt, a search scpe, a filter, and a list f attributes t return. There are mre parameters and ptins, but these basic fur are enugh fr mst cases. Search Rt The search rt determines the place in the tree frm which the search will start. This value is passed as a DN in string frmat. T search the entire directry, pass the DN f the bject that is the rt f the tree. T search lwer in the hierarchy, specify a lwer-level DN. Search Filter The search filter determines which bjects will be returned in the query. It is analgus t the Where clause in a SQL statement. Each bject in the scpe f the query will be evaluated against the filter t determine whether r nt it matches. Objects that d nt meet the filter criteria are eliminated frm the search. Basic LDAP Syntax The fllwing table utlines basic peratrs fr use with LDAP: Operatr Operatr Definitin Definitin Example = Equal t This argument means an attribute must be equal t a certain value t be true. (givenname=kate) This will return all bjects that have the first name f "Kate." Nte: Because there is nly ne argument in this example, it is surrunded with parentheses fr illustratin. & And Use & when yu have mre than ne cnditin and yu want all cnditins t be true. Fr example, if yu want t find all f the peple that have the first name f Kate and live in Austin, yu wuld use the example in the right-hand clumn.! Nt The! peratr is used t exclude bjects that have a certain attribute. If yu need t find all bjects except thse that have the first name f Kate, yu wuld use the example in the right-hand clumn. This wuld find all bjects that d nt have the first name f Kate. (&(givenname=kate)(l=austin)) (!givenname=kate) Nte: Because there is nly ne argument in this example, it is surrunded with parentheses fr illustratin. Nte: The! peratr ges directly in frnt f the argument and inside the argument's set f parentheses. * Wildcard Use the * peratr t represent a value that culd be equal t anything. If yu (title=*)
Cnfiguring and Integrating LDAP 5 wanted t find all bjects that have a value fr title, yu wuld then use the example in the right-hand clumn. This wuld return all bjects that have the title attribute ppulated with any value. * Wildcard This wuld apply t all bjects whse first name starts with "Ka." (givenname=ka*) Advanced Examples f LDAP Syntax: Yu need a filter t find all bjects that are in NYC r Austin, and that have the first name f "Kate." This wuld be: (&(givenname=kate)( (l=nyc)(l=austin))) Yu have received 9,360 events in the Applicatin lg and yu need t find all f the bjects that are causing this lgging event. In this case, yu need t find all f the disabled users (msexchuseraccuntcntrl=2) that d nt have a value fr msexchmasteraccuntsid. This wuld be: (&(msexchuseraccuntcntrl=2)(!msexchmasteraccuntsid=*)) Nte: Using the! peratr with the * peratr will lk fr bjects where that attribute is nt set t anything. The LDAP User Experience Mnitr Use the LDAP Mnitr t test that: An LDAP client can pen a cnnectin with an LDAP server. Specified bjects exist and can be lcated in the LDAP catalgue. The server respnds within a required time frame. The LDAP Mnitr supprts LDAP versin 2, which is the mst cmmnly supprted versin. Mst LDAP versin 3 servers will supprt LDAP versin 2 client requests. Hw this Mnitr Wrks: 1. It creates an instance f the LDAP Cnnectin class using the specified directry identifier. 2. It cnfigures the cnnectin which can be encrypted. 3. It establishes an LDAP cnnectin and passes user authenticatin with the bind peratin. 4. It prepares and sends an LDAP search request. LDAP Search Rt and LDAP Filter mnitr settings are used. 5. It reads and prceeds with an LDAP respnse. The mnitr returns the number f fund entries as statistic data. It als calculates and shws the server respnse time.
6 Cnfiguring and Integrating LDAP LDAP User Experience Mnitr Prerequisites The target LDAP server IP address and name must be successfully DNS reslved frm the SlarWinds server. Fields Defined The fields highlighted belw are unique t this mnitr, therefre, nly they are defined immediately fllwing this illustratin: Prt Number: Prt 389 is the default prt fr a nn-encrypted cnnectin. Use prt 636 if yu use encryptin. Encryptin Methd: Chse either SSL r StartTLS t encrypt yur data. Authenticatin Methd: Belw are the five available ptins: Annymus: Indicates that the cnnectin shuld be made withut passing credentials. Simple: Indicates that basic authenticatin shuld be used with the cnnectin. This nly requires a valid username and passwrd. NTLM: Indicates that Windws NT Challenge/Respnse (NTLM) authenticatin shuld be used n the cnnectin. This requires user name, passwrd, and dmain (Realm). Kerbers: Indicates that Kerbers authenticatin shuld be used n the cnnectin. This requires a user name, passwrd and dmain (Realm). Negtiate: Indicates that Micrsft's Negtiate authenticatin shuld be used with the cnnectin. This nly requires a valid username and passwrd. Realm (User Dmain): This is the user's dmain (e.g. fr DC=slarwinds,DC=cm the realm wuld be slarwinds). LDAP Search Rt: This is the place in the LDAP tree that yu want t start yur search. (e.g. The Users flder, as illustrated belw): This example is based n the Active Directry Dmain Cntrller lab.ri. The LDAP search rt wuld be CN=Users,DC=lab,DC=ri because the cntext name Flder is Users, and the dmain DC is lab.ri. In general, yu may specify just the dmain rt (DC=lab,DC=ri) t begin a search because the mnitr always applies the SearchScpe.Subtree request ptin. The query will search the entire dmain tree fr the requested bject frm the specified rt.
Cnfiguring and Integrating LDAP 7 LDAP Filter: This describes the search cnditin fr an LDAP query and matching attributes. Credentials Credentials shuld be used withut the dmain because the Realm field is defined with this infrmatin. LDAP Mnitr Statistics. The fllwing illustrates typical field entries fr a wrking LDAP User Experience mnitr within SAM: In the illustratin belw, the Statistic and the Respnse Time values are highlighted. A statistic f 1 is returned indicating that 1 user was fund that matched the filter criteria. This query tk 259 millisecnds, as indicated by the Respnse Time value f 259.