LDAP Server Configuration

[susantjasinski]

LDAP Settings - InVision Mockups for testing 11-2018

System Admins need to manage the communication configuration for authentication between the BMC and LDAP servers.

• Only users with Admin privileges can view this panel
• Disable LDAP authentication checkbox: when enabled, stops communication for authenticated between the BMC and LDAP servers; only locally configured users could log in to the BMC
• Show / Hide toggle: causes the field's value to display as text (Show) or asterisks (Hide)
• Cancel button: causes changes to not be saved
• Save Settings button: causes fields to be validated and changes to be saved
  • Server URI, Bind DN and Base DN field validation error for invalid formats
  • Bind DN Password field validation error for incorrect/invalid password
  • Attempts to leave the page without saving edits will cause a confirmation message to appear stating changes will not be saved if the action continues
  • Toast notification appears when save is completed without validation errors

System Admins need to understand which certificates are being used for authentication and should be able to quickly go to the appropriate panel to change them.

• CA certificate file: displays the certificate name which is managed from the SSL Certification panel
• Client certificate file: displays the certificate name which is managed on this panel
• Choose file button: allows the user to select a new client certificate file
• Upload button: allows the user to upload the selected client certificate file
• Manage Certificates button: causes the SSL Certification panel to display

[sivassrr]

How about displaying LDAP User uid and group id. Because system admin should know the local user uid and its group id as well. Otherwise it will clash, right. Basically want to see the LDAP user details info.

[susantjasinski]

@sivassrr are you asking for me to display all of the users that belong to the group ID; so perhaps have an "expand" icon that shows a list of user IDs?

[susantjasinski]

New Changes to the page layout coming in January based on feedback ...

[sivassrr]

Have seen the updated design page provided @jandraa . Overall looks good, If we enable LDAP authentication, what happens to local user authentication. do we need to disable explicitly the local user authentication. Can we have an option for both or single authentication (either LDAP or local).

[jandraa]

Thanks for the feedback @sivassrr ! I'm still learning the technicalities, can you help me understand what you mean by LDAP or local authentication? Are you possibly referring to user management?

[bradbishop]

On Mon, Feb 18, 2019 at 07:15:54AM -0800, Sivas SRR wrote:

Have seen the updated design page provided @jandraa . Overall looks good, If we enable LDAP authentication, what happens to local user authentication. do we need to disable explicitly the local user authentication. Can we have an option for both or single authentication (either LDAP or local).

IMHO enabling an ldap backend should not implicitly do anything to the local backend state. If it did, that would be unexpected by users and thus violates the https://en.wikipedia.org/wiki/Principle_of_least_astonishment

[jandraa]

The designs were created with the impression that LDAP and local user management were and would be separate. After Siva's comment, I verified it was being developed that way, and it is. So disabling LDAP authentication would have no impact on the local users.

[jandraa]

@bradbishop and @sivassrr We've gotten feedback that users could potentially have more than one server URI. Do you have an opinion on whether it would be expected that each server URI has its own set of properties (LDAP Type, BaseDN, BIND DN, BIND password, and Search Scope)? Or would these properties be the same and apply to all servers?

[sivassrr]

Yes each server URI can have its own set of properties like LDAP Type, BaseDN, BindDN, Search Scope and Bind Password.

Scenario where almost all properties can be change is when LDAP server is cloned to create another LDAP server. Even in this case as well, base LDAP server URI / Bind Password can be still be different. Minimum server URI will be different.