Skip to content

Mideye Server 6 - LDAP Profiles

The Mideye server can read user data from external LDAP user repositories and delegate the verification of the static user password to the repository. To find user accounts, LDAP repositories are assigned to RADIUS clients via the Web GUI → RADIUS Settings → RADIUS Clients → User Repositories. If the username also matches an existing hybrid LDAP user account in the Mideye Server database, user data specified in the hybrid account will complement/overwrite the user data obtained from the LDAP repository.

General

Mideye Server 6 currently supports preconfigured settings for the following repositories:

  • Active Directory
  • eDirectory
  • Sun Directory Server
  • Lotus Domino
  • OpenLDAP

Complete the following steps to configure Mideye Server to read from a directory:

  1. LDAP Profile: Give the LDAP Profile a unique friendly name.
  2. LDAP Server Type: Choose what kind of directory that should be integrated into the dropdown list. In this guide, Active Directory will be configured.
  3. Hostname: Enter the FQDN or the IP-address of the LDAP server. Note that with LDAPS, only FQDN is accepted.
  4. Port: Default port for none encrypted bindings is tcp/389. If a Certificate Authority is installed on the Domain Controller, port tcp/636 can be used to encrypt the connection between the Mideye Server and the Domain Controller. Make sure to check the “Use LDAPS” and import the certificate from the Certificate Authority when using an encrypted connection. This can be done by clicking the “Fetch Certificate” button.
  5. LDAP service account: Mideye Server needs a service account and password from the directory to be able to read LDAP-data. This account needs the “Domain User” permission. Enter the username as DN or UPN format. Add the password. Remember to check the flag “Password never expires”.
  6. Skip Certificate Validation: Check this box to ignore certificate validation. This facilitates automation of LDAP profile provisioning via the server REST API. Be advised that this should be enabled with caution since Mideye Server will not validate the certificate, and could potentially lead to a man-in-the-middle-attack (MITM).
  7. Search Base: Add the search base where the users are located in the directory repository.
  8. Test Connection: Click the Test connection button to verify that it is properly setup.
  9. Network Policy Server: When authentication using MSCHAP-V2 or EAP-MSCHAP-V2 are used, a Network Policy Server must med integrated with the LDAP-profile. All requests that use these protocols will be proxied to an NPS-server for user authentication.

Note

The default validity length of the certificate used for encrypted traffic between the Mideye Server and the Domain controller is one year. When this certificate expires, Mideye will have to fetch the new certificate by manually adding it using the “Get Certificate” button. Be advised that when the old certificate expires and the new certificate still hasn't been manually added, all authentication using the LDAP server will fail. See section Extend LDAPS validation time on how to increase the time from 2 years.

Use the “Find User” button to verify that users included in the search base can be found. User identity sAMAcccountName and userPrincipalName are enabled by default.

User Attributes

  • Object Class: The default value for Active Directory is “person” and should not be changed.
  • User Identity: The attribute populated by default is sAMAccountName and userPrincipalName. This attribute(s) are used to identify the username when authenticating.
  • Mobile Phone Number: Attribute used to find the user´s phone number. The default value is mobile, but this can be customized to any other attribute. Also, two or more attributes can be specified, meaning that Mideye Server will start searching for data in the first attribute, and continue with the next attribute if the field is empty. Example otherMobile,Mobile.
  • Token Number: Attribute used to find the user´s token-number. The default value is ipPhone, but this can be customized to any other attribute.
  • TOTP Secret Cipher Attribute: By specifying a LDAP repository attribute, user's TOTP seeds will be stored in the LDAP repository instead of in the database. To see how to configure this part, read this part of the documentation.
  • Enable Logging LDAP Attributes: If enabled, the LDAP attributes added to the LDAP-attributes field will be logged with the returning LDAP-value to the logfile. This value can also be shown in detailed authentication logs when the “Store LDAP Attributes in Authentication Logs” box is checked.

Group Check

To further control permissions, a group check can be configured that will control what users who should be able to access the resource protected with Mideye. This can be done by adding the DN of a group in LDAP. Wildcard/Java Regular Expressions, e,g. CN=Mideye-administrators.* are supported

If the group specified contains groups inside, make sure to enable “Search nested groups” in the Active Directory tab.

Authentication

Default authentication type: Mideye Server comes predefined with authentication type 8 (Touch Mobile). This can be customized to any of the authentication types 1-11 as specified here.

Default OTP Presentation: The default value is Flash SMS, but can be changed to Inbox SMS.

Read optional attribute: If a group of users should have a different authentication type than the one specified as default, read optional attribute can be used. When this option is enabled an LDAP-attribute can be configured in the field “Authentication type attribute” Once enabled, that field in LDAP will control what authentication that should be in use. For example, if the attribute “Pager” is set in the “Authentication type attribute” and the number 3 is set for the user, the authentication type “Token” will be used based on the list above.

OTP Presentation Attribute: OTP presentation can be customized using an LDAP-attribute. The number in that attribute will decide what kind of OTP that should be used.

Department attribute: If the department of the user should be visible in accounting, the default value should be attribute “Department”

Password Compare: See document “Password Comparison” for detailed information and configuration example.

Activate LDAP user blocking: If enabled, the user will be temporarily locked out after defined failed attempts for x number of minutes. 0 is equal to permanently blocked. Users can be unblocked from the web GUI.

Active Directory

The following options will only function for LDAP users.

  • Check remote flag: If checked, access is only granted if the “Dial-in” properties are set to “Allow remote access”.
  • Allow password reset (PAP): If checked, access is granted if the password is correct but needs to be reset. This option is only used for PAP authentication when allowing a secondary authentication using LDAP.
  • Allow password expired (PAP): If checked, access is granted if the password is correct, but has expired. This option is only used for PAP authentication when allowing a secondary authentication using LDAP.
  • Search nested groups: If checked, Mideye Server will search for users in groups that are nested in the group specified.
  • Use Framed IP Addresses: If checked, Mideye Server will read the “Assign static IP Addresses” from LDAP and pass the IP address along as attribute 8 with a successful login.

Password change using PAP

Starting from release 5.2.1 it is possible to perform a password change using only PAP. The following circumstances must be fulfilled for password change to work with PAP:

  1. LDAPS must be configured on the LDAP Profile. If LDAPS is not enabled, users will be able to log in until the password expired (User lockout) IF step 2 is enabled
  2. Allow Password Reset (PAP), and Allow Password Expired (PAP) must be checked in the LDAP Profile
  3. The service account used by the LDAP Profile must have the Account Operator permission set in ADUC. Be advised that due to adminSDHolder, account operators will not be able to perform password change on any object that is at the same or higher security level.

LDAP-RADIUS Translation

If LDAP-RADIUS Translation is checked, Mideye Server will translate LDAP-attribute to RADIUS-attribute. Refer to section LDAP-RADIUS Translation for further detailed instructions.

Number Correction

Enable Auto-Correction: When enabling this option, the Mideye Server will automatically correct the phone number to international format (e.g. +1234567890) before contacting the Mideye Switch. Spaces and non-numeric characters (apart from an initial + sign) are removed. Initial 00 is replaced with a + sign. Digits within parentheses are removed, unless otherwise specified (see below).

Auto-Correction Prefix: Default international prefix added to numbers that do not begin with + or 00.

Remove leading Zero: Leading zero in the mobile number is removed before adding the international prefix (e.g 070-1234567 is changed to +46701234567).

Keep Digits Within Parentheses: Enable to keep digits within parentheses when correcting numbers.

Advanced

Connection settings for LDAP can be customized. The default value is 10 seconds for connection timeout and 2 seconds for reading timeout.