Note:This feature is not available in the community edition of NeXpose. Please see NeXpose Editions for more information.
Using external sources for user authentication
You can integrate NeXpose with external authentication sources. If you use one of these sources, leveraging your existing infrastructure will make it easier for you to manage NeXpose user accounts. NeXpose provides single-sign-on external authentication with two sources:
- LDAP (including Microsoft Active Directory): Active Directory (AD) is an LDAP-supportive Microsoft technology that automates centralized, secure management of an entire network's users, services, and resources.
- Kerberos: Kerberos is a secure authentication method that validates user credentials with encrypted keys and provides access to network services through a "ticket" system.
NeXpose also continues to support its two internal user account stores:
- XML file lists default "built-in" accounts, such as nxadmin. A NeXpose global administrator can use a built-in account to log on to NeXpose in maintenance mode to troubleshoot and restart the system when database failure or other issues prevent access for other users.
- Datastore lists standard user accounts, which are created by a NeXpose global administrator.
Before you can create externally authenticated user accounts you must define external authentication sources.
Go to the Authentication page in the NeXpose Security Console Configuration wizard.
To add an LDAP/Active Directory authentication source, click the Add... button in the area labled LDAP/AD authentication sources.
The console displays a box labeled LDAP/AD Configuration. Click the checkbox labeled Enable authentication source.
In the appropriate text fields, type the name, address, and port of the LDAP server that you wish to use for authentication. Default LDAP port numbers are 389 or 636, the latter being for SSL. Default port numbers for Microsoft AD with Global Catalog are 3268 or 3269, the latter being for SSL.
If you wish to require secure connections over SSL, click the appropriate checkbox.
If you wish to specify permitted authentication methods, type them in the appropriate text field. Separate multiple methods with commas (,), semicolons (;), or spaces. Simple Authentication and Security Layer (SASL) authentication methods for permitting LDAP user authentication are defined by the Internet Engineering Task Force in document RFC 2222 (http://www.ietf.org/rfc/rfc2222.txt). NeXpose supports the use of GSSAPI, CRAM-MD5, DIGEST-MD5, and PLAIN methods. However, it is not recommended that you use PLAIN for non-SSL LDAP connections.
Click the checkbox labeled Follow LDAP referrals if desired. As NeXpose attempts to authenticate a user, it queries the target LDAP server. The LDAP and AD directories on this server may contain information about other directory servers capable of handling requests for contexts that are not defined in the target directory. If so, the target server will return a referral message to NeXpose, which can then contact these additional LDAP servers. For information on LDAP referrals, see document LDAPv3 RFC 2251 (http://www.ietf.org/rfc/rfc2251.txt).
Type the base context for performing an LDAP search if desired. You can initiate LDAP searches at many different levels within the directory. To force NeXpose to search within a specific part of the tree, specify a search base, such as CN=sales,DC=acme,DC=com.
Click one of the three buttons for LDAP attributes mappings, which control how LDAP attribute names equate, or map, to NeXpose attribute names. Your attribute mapping selection will affect which default values appear in the three fields below. For example, the LDAP attribute Login ID maps to the NeXpose user's login ID. If you select AD mappings, the default value is sAMAccountName. If you select AD Global Catalog mappings, the default value is userPrincipalName. If you select Common LDAP mappings, the default value is uid.
Click Save. The console displays the Authentication page with the LDAP/AD authentication source listed.
To add a Kerberos authentication source, click the Add... button in the area of the Authentication page labeled Kerberos Authentication sources.
The console displays a box labeled Kerberos Realm Configuration. Click the checkbox labeled Enable authentication source.
To set the new realm that you are defining as the default Kerberos realm, click the appropriate checkbox. If you do so, the console will display a warning that the default realm cannot be disabled.
Type the name of the realm in the appropriate text field.
Type the name of the key distribution center in the appropriate field.
Click Save. The console displays the the Authentication page with the new Kerberos distribution center listed.
Once you have defined external authentication sources, you can create accounts for users who are authenticated through these sources.
On the Home page, click the Administration tab. On the Administration page, click the Create link next to Users.
The console displays the User Configuration wizard. On the General page, the Authentication method dropdown list contains the authentication sources that you defined in the NSC configuration file. Select an authentication source.
NeXpose built-in user store authentication is represented by the "NeXpose user" option.
The "Active Directory" option indicates the LDAP authentication source that you specified in the NSC configuration file.
If you select an external authentication source, NeXpose disables the password fields. NeXpose does not support the ability to change the passwords of users authenticated by external sources.
Fill in all the other fields on the General page.