LDAP

User authentication can be done either according to the local database or according to directory services, for example, an LDAP server.

Information about LDAP settings:

• Server: enter the IP address or domain name of the LDAP server

• Port: enter the port, default is 389 and 636 for encrypted connections (SSL)

• Timeout in seconds: time to wait for the LDAP response. Set this value higher if you are using two-factor authentication.

• Server type: select Active Directory or OpenLDAP as the Server type if Autodetect is not working correctly.

• User bind DN: full path to the user, who is to be used for LDAP connection

Table: LDAP configuration examples

LDAP Service	User Bind DN
Active Directory / LDAP	CN=Administrator Name,CN=Users,DC=invea,DC=cz
Directory Server / OpenLDAP	uid=administrator,ou=People,dc=invea,dc=cz

• Password: for the account in User bind DN

• Base DN: default search point. Only users in this node and its subnodes will have access to Flowmon. Base DN value is mostly all DC parameters (for example, DC=invea,DC=cz)

• Use custom UID: set the LDAP attribute to compare with the Flowmon login. The default value is uid (for openLDAP) or sAMAccountName (for Active Directory).

• Use custom group DN: you can set a different default search point for groups. If selected, only groups in this node and its subnodes are used by Flowmon.

• User defined group prefix: set your group prefix in LDAP (see below).

• Group delimiter: set the delimiter character between the group prefix and role name.

• Use group nesting: In an LDAP directory, a nested group is defined as a child group entry whose DN (Distinguished Name) is referenced by an attribute contained within a parent group entry. Flowmon allows using this nesting for the inheritance of access rights.

• Group nesting type:

  • Inherit from parent: Groups inherit access rights from their parent groups.

  • Obtain from child: Groups inherit access rights from their child groups.

• Enable mapping: If enabled, it is possible to map existing LDAP groups to one or more Flowmon roles. All users that are members of the mapped group get the access rights from the mapped roles.

Connection Errors

• LDAP Connect: bad server, port, or use of SSL encryption

• LDAP Bind: bad User bind DN or user password

• LDAP Search: bad Base DN, cannot load any group from LDAP

If you can connect to the LDAP server, save your settings by clicking Save.

If LDAP support is enabled, the system works as follows

1. During user log-in, the Flowmon server tries to connect to the LDAP server

   • Success - user authentication was successful. If it is the first login, the user account is created in the local database according to the LDAP account. Then during every login, the local account data is compared with the LDAP account data. If a difference is found, it retrieves the current data from LDAP. Any changes in the local user account are reported by an information message.

   • Failure - connection failed. An error message is displayed. If this happens, the admin user, who is not using LDAP authentication, can log into the system. Other users saved in the local database (who are not in LDAP) can log in too.

2. A credentials check is performed

   • Success - user authentication was successful. In the case of the first login, the user account is created in the local database according to the LDAP account. Then, during every login, the local account data is compared with the LDAP account data. If a difference is found, it retrieves the current data from LDAP. Any changes in the local user account are reported by an information message.

   • Failure - authentication failed. The user is asked to enter new credentials.

User admin is managed in a special way. For this account, data is always taken from the local database and the LDAP account is never used.

User roles and access-rights settings for LDAP user

The LDAP user is automatically assigned roles according to their groups in LDAP. To assign a role to a user, the group name must be in the format , where prefix is one of the following: flowmon, inveaos, or User defined group prefix. For more information about the Role name, see the User Settings chapter.

The group delimiter is either a dash or underscore character.

Users assigned to group admin have administrator rights and can access every module.

Role mapping and nesting examples

1. Inherit from parent option

There are LDAP groups A, A1, and A2. LDAP groups A1 and A2 are children of group A.
There is an existing role in Flowmon called A.
Role A has defined permissions and access to Flow Source 1.
Group A is mapped to role A.
Groups A1 and A2 are children of Group A, therefore they inherit both access rights of role A and also have access to Flow source 1.

2. Obtain from child option

There are LDAP groups A, A1, and A2. LDAP groups A1 and A2 are children of group A.
There are existing roles in Flowmon called A and B.
Role A has defined permissions and access to Flow Source 1.
Role B has defined permissions and access to Flow Source 2.
Group A1 is mapped to role A.
Group A2 is mapped to role B.
Group A is the parent of groups A1 and A2, therefore it inherits both access rights of roles A and B and access to Flow Source 1 and Flow Source 2.