Authentication and Authorization Using LDAP
- 03 Apr 2024
-
DarkLight
-
PDF
Authentication and Authorization Using LDAP
- Updated on 03 Apr 2024
-
DarkLight
-
PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Authentication
The diagram in Figure 1 shows the authentication flow in IAP using LDAP.
Figure 1: Authentication Flow Using LDAP
-
User provides username and password.
-
LDAP server in AAA platform authenticates users and returns one of the following:
Reject
: IAP displays "Invalid credentials."Access-Accept
: IAP allows user to login.Challenge
: IAP displays "Generate token and retry."
-
AAA Platform also returns a vendor specific attribute ( Type 2 per RFC 2865, 5.6). For example:
Vendor ID
= 47688 (Itential)Name
= Itential-user-GroupNumber
= 1Value
= User group of the user obtained from LDAP.
Authorization
The diagram in Figure 2 illustrates both authorization and authentication between IAP and NSO using LDAP.
Figure 2: Authentication and Authorization
- User groups will be defined manually in IAP. Matching user groups will be added in the LDAP server in the AAA Platform. Customer must have user groups configured on the LDAP server.
- LDAP server will authenticate the user.
- LDAP server will authorize the user.
- Return the groups associated with the user.
- User receives the authentication token.
- IAP sends a request to NSO with user and token.
Multi-Tenancy
The following applies when using multi-tenancy:
- NSO sends a
whoami
API request to IAP. - IAP returns the group to NSO.
- NSO checks the NACM rules for the user/group to determine what the user can access.
- NSO will either accept or reject access.
Note:
Multi-tenancy is not required for most implementations.
Was this article helpful?