Observer OMS : Observer Management Server (OMS) : Understanding OMS : Users and User Groups : How to configure how user accounts authenticate
How to configure how user accounts authenticate
Users are granted access after validating with OMS or a third-party authentication server like Active Directory, LDAP, RADIUS, or TACACS+.
Rather than maintaining separate user accounts on each asset, all assets on your network can query OMS to authenticate users. OMS can do it using an internally stored list of users and their passwords or forward the authentication request to a third-party authentication server.
1. Starting in the dashboard, click Auth > Authentication.
2. In the Authentication Scheme list, choose:
Active Directory and configure the Active Directory settings.
LDAP and configure the LDAP settings.
Local and configure the list of users and passwords manually.
RADIUS and configure the RADIUS settings.
TACACS+ and configure the TACACS+ settings.
3. Click the accept icon .
 
 
Active Directory settings
Use the information to assist you when configuring the Authentication to use Active Directory.
 
Authentication scheme
The system or service for managing user names, passwords, groups, and authentication, can be specified.
 
Local Exclusively managed within this system.
LDAP Any LDAP directory service (do not select for configuring Windows Active Directory)
Active Directory Windows Active Directory service
RADIUS RADIUS authentication server
TACACS+ TACACS+ authentication server
 
Default User Group
Any end user who is not assigned to a user group is automatically placed into the group chosen from this list and given the permissions it grants. The default is None.
If set to None, any user attempting to log in must already exist in the Users table before any authentication attempt to the third-party authentication server is made. If the attempting user does not exist in the Users table, they are always denied and no authentication attempt is made.
Enable Session Timeout
If selected, user sessions terminate after N-minutes of inactivity.
This minimizes the chances of an unattended user session being hijacked.
Session Timeout (Minutes)
Sets the duration of user inactivity before a session terminates.
Valid Input: The default is 0, which means that the session never times out.
Cache authentications (Minutes)
Sets how long, in minutes, successful authentications are cached.
This reduces the frequency of authentication requests made to the third-party authentication server.
Server
The host address of the Active Directory server.
Valid Input: Valid addresses include IPv4, IPv6, or DNS name.
Port
The port number of the Active Directory server. The default is 389.
Version
The protocol version of LDAP the Active Directory host uses.
Connection security
The security type for authenticating and encrypting connections.
Base DN
The Base Distinguished Name is the point in the directory tree from which users are verified. This might be the root or some place lower in the tree to limit the number of users returned. Required.
Example: dc=networkinstruments,dc=com
Administrators should find the Base DN directly from the Active Directory server to ensure accuracy.
Domain
The parent domain name.
A fully-qualified domain name (FQDN) does not need to be specified.
Bind DN
The Bind Distinguished Name is required for importing user accounts from the Active Directory server.
The Bind DN user account needs domain user privileges, and administrators should find a suitable Bind DN directly from the Active Directory server to ensure accuracy.
Bind password
The password of the Bind DN.
Timeout in seconds
The duration (in seconds) a connection attempt waits before aborting. The default is 10.
A connection retry attempt is made if this value elapses.
 
 
To use Active Directory, you must configure this Active Directory settings page after OMS is installed.
 
Figure 3: This settings page is located at: Auth > Authentication.
OMS Active Directory migration aidOMS Active Directory migration aid
 
LDAP settings
Use the information to assist you when configuring the Authentication to use LDAP.
 
Authentication scheme
The system or service for managing user names, passwords, groups, and authentication, can be specified.
 
Local Exclusively managed within this system.
LDAP Any LDAP directory service (do not select for configuring Windows Active Directory)
Active Directory Windows Active Directory service
RADIUS RADIUS authentication server
TACACS+ TACACS+ authentication server
 
Default User Group
Any end user who is not assigned to a user group is automatically placed into the group chosen from this list and given the permissions it grants. The default is None.
If set to None, any user attempting to log in must already exist in the Users table before any authentication attempt to the third-party authentication server is made. If the attempting user does not exist in the Users table, they are always denied and no authentication attempt is made.
Enable Session Timeout
If selected, user sessions terminate after N-minutes of inactivity.
This minimizes the chances of an unattended user session being hijacked.
Session Timeout (Minutes)
Sets the duration of user inactivity before a session terminates.
Valid Input: The default is 0, which means that the session never times out.
Cache authentications (Minutes)
Sets how long, in minutes, successful authentications are cached.
This reduces the frequency of authentication requests made to the third-party authentication server.
Server
The host address of the LDAP server. Required.
Valid Input: Valid addresses include IPv4, IPv6, or DNS name.
Port
The port number accepting connections to the LDAP server. The default is 389.
Version
The LDAP protocol version the LDAP server uses.
Connection security
The security type for authenticating and encrypting connections.
Base DN
The Base Distinguished Name is the point in the directory tree from which users are verified. This might be the root or some place lower in the tree to limit the number of users returned. Required.
Example: dc=networkinstruments,dc=com
Administrators should find the Base DN directly from the LDAP server to ensure accuracy.
Bind DN
The Bind Distinguished Name (Bind DN) is required for importing user accounts from the LDAP server.
The Bind DN user account needs domain user privileges, and administrators should find a suitable Bind DN directly from the LDAP server to ensure accuracy.
Bind password
The password of the Bind DN.
This is the password of the user set in 'Bind DN'.
Timeout in seconds
The duration a connection attempt waits before aborting.
A connection retry attempt is made if this value elapses.
Synchronize LDAP groups with OMS
If selected, specified LDAP groups are brought directly into OMS as dynamic user groups. Any addition or removal of users in an underlying LDAP group will affect the OMS user group in the same manner.
You must designate which LDAP groups are used for this purpose by writing an LDAP query in Group filter.
Synchronization
LDAP group synchronization can be performed automatically or manually.
 
Periodic Automatically synchronize with LDAP at recurring periods.
Manual Require manual synchronizations, and never synchronize automatically.
 
With either choice, you can always synchronize by clicking ‘Synchronize Now’.
Synchronization Rate (hours)
Sets how frequently OMS synchronizes with the LDAP server, in hours.
Each synchronization, OMS refreshes imported LDAP groups with any user additions and removals that occurred on the LDAP server during that time.
Valid Input: Valid values are 1-24.
Group DN
The Distinguished Name of a group is the point in the directory tree from which groups are contained.
Example: ou=MIN,ou=USA,ou=UserGroups -or- ou=Groups,ou=Security
This might be the beginning of all groups or some place lower in the tree to limit the number of groups returned.
Group filter
The full LDAP query that determines which LDAP groups are imported and synchronized as OMS user groups.
LDAP groups that are returned by your query become OMS user groups.
Example: (&(objectCategory=Group)(cn=USA-MIN-USERS-Net-Administrators))
Valid Input: The maximum number of characters is 16383.
Group ID attribute
The attribute in which the ID for each group is stored.
If no group ID attribute is provided, then IDs are created automatically.
Example: uidNumber -or- objectGUID
Group name attribute
The attribute in which the desired group name for each group is stored. Required.
When synchronizing groups, the value in this attribute is mapped to the Group Name field in the User Groups table.
Example: cn -or- displayName
Group description attribute
The attribute in which the desired description for each group is stored.
When synchronizing groups, the value in this attribute is mapped to the Description field in the User Groups table.
Example: (&(objectCategory=group)(description=*))
User DN
The User Distinguished Name (DN) is a user that will authenticate to the LDAP tree using a bind request. This user will be someone with access to search all or part of the LDAP directory tree. If left blank, and anonymous bind request is used.
 
Use a User DN if:
Use if LDAP installation does not support anonymous bind, and you do not want to save a bind DN and password.
You have a fairly simple LDAP hierarchy and want to skip the initial search for users.
You want to restrict who can log on. This is done through the Base DN.
The Bind DN is different from where the user object is located.
 
User filter
The user filter restricts who may use the Observer Platform. The filter limits what part of the LDAP tree is used to validate user accounts so that OMS does not have large lists of users who do not require access to the Observer Platform. Required.
Example: (&(objectClass=person)(uid=$1)) Find all entries with an objectClass of 'person' where the uid is the User DN (represented by $1), including 'anonymous.'
Valid Input: The maximum number of characters is 16383.
User ID attribute
The name of the attribute in which the user ID for each user is stored. If no user ID attribute is provided, then IDs are created sequentially starting with 90000000.
Username attribute
The name of the attribute in which the user name for each user is stored. Required. This used primarily when importing users. When importing users, values in the uid attribute are mapped to the Username field for display in the Users list.
User description attribute
The name of the attribute in which the description for each user is stored. This used primarily when importing users. When importing users, values in the displayName attribute are mapped to the Description field for display in the Users list.
 
Understanding how OMS authenticates with LDAP
OMS authenticates with the LDAP server when a bind request is accepted.
 
To authenicate with the LDAP server, the following steps are performed for a bind request:
 
 
RADIUS settings
Use the information to assist you when configuring the Authentication to use RADIUS.
 
You can use your RADIUS server to authenticate users, but you cannot import a list of users from it. You can, however, manually enter them or get a list of users from your domain server and then switch the authentication type.
You define primary and secondary RADIUS servers. Refer to the documentation of your third-party RADIUS server for more details. Choosing RADIUS authentication requires you to enter the IP address of the RADIUS server, along with a "shared secret" that matches a secret on the RADIUS server.
Authentication scheme
The system or service for managing user names, passwords, groups, and authentication, can be specified.
 
Local Exclusively managed within this system.
LDAP Any LDAP directory service (do not select for configuring Windows Active Directory)
Active Directory Windows Active Directory service
RADIUS RADIUS authentication server
TACACS+ TACACS+ authentication server
 
Default User Group
Any end user who is not assigned to a user group is automatically placed into the group chosen from this list and given the permissions it grants. The default is None.
If set to None, any user attempting to log in must already exist in the Users table before any authentication attempt to the third-party authentication server is made. If the attempting user does not exist in the Users table, they are always denied and no authentication attempt is made.
Enable Session Timeout
If selected, user sessions terminate after N-minutes of inactivity.
This minimizes the chances of an unattended user session being hijacked.
Session Timeout (Minutes)
Sets the duration of user inactivity before a session terminates.
Valid Input: The default is 0, which means that the session never times out.
Cache authentications (Minutes)
Sets how long, in minutes, successful authentications are cached.
This reduces the frequency of authentication requests made to the third-party authentication server.
Shared secret
Providing the shared secret, a text string, is necessary for authenticating with the RADIUS host.
Authentication type
The authentication method of the server(s) must be specified.
Server
One RADIUS server is required. If two servers are declared, the first server is used unless unreachable.
Valid Input: Valid addresses include IPv4, IPv6, or DNS name.
Port
Modern port assignments for RADIUS access servers are UDP 1812 and 1813.
Legacy port assignments are still common: UDP 1645 and 1646.
Retry attempts
The maximum number of connection retries per authentication attempt.
If the maximum is reached, no further retries occur until the next authentication attempt.
Valid Input: Valid values are 0-9.
Timeout in seconds
The duration a connection attempt waits before aborting.
A connection retry attempt is made if this value elapses.
 
TACACS+ settings
Use the information to assist you when configuring the Authentication to use TACACS+.
 
You can use your TACACS+ server to authenticate users, but you cannot import a list of users from it. You can, however, manually enter them or get a list of users from your domain server and then switch the authentication type.
You define primary and secondary TACACS+ servers. Refer to the documentation of your third-party TACACS+ server for more details. Choosing TACACS+ authentication requires you to enter IP address of the TACACS+ server, along with a "shared secret" that matches a secret on the TACACS+ server.
Authentication scheme
The system or service for managing user names, passwords, groups, and authentication, can be specified.
 
Local Exclusively managed within this system.
LDAP Any LDAP directory service (do not select for configuring Windows Active Directory)
Active Directory Windows Active Directory service
RADIUS RADIUS authentication server
TACACS+ TACACS+ authentication server
 
Default User Group
Any end user who is not assigned to a user group is automatically placed into the group chosen from this list and given the permissions it grants. The default is None.
If set to None, any user attempting to log in must already exist in the Users table before any authentication attempt to the third-party authentication server is made. If the attempting user does not exist in the Users table, they are always denied and no authentication attempt is made.
Enable Session Timeout
If selected, user sessions terminate after N-minutes of inactivity.
This minimizes the chances of an unattended user session being hijacked.
Session Timeout (Minutes)
Sets the duration of user inactivity before a session terminates.
Valid Input: The default is 0, which means that the session never times out.
Cache authentications (Minutes)
Sets how long, in minutes, successful authentications are cached.
This reduces the frequency of authentication requests made to the third-party authentication server.
Shared secret
Providing the pre-shared key, a secret text string, is necessary for authenticating with the TACACS+ host.
Authentication type
The authentication protocol the TACACS+ server accepts requests over must be specified.
Server
One TACACS+ server is required. If two servers are declared, the first server is used unless unreachable.
Valid Input: Valid addresses include IPv4, IPv6, or DNS name.
Port
The standard port assignment for TACACS+ login is TCP port 49.
Some deployments might use a different port number.