Read this first! Do you intend to enable InsightVM Platform Login?
InsightVM Platform Login is a newer, consolidated InsightVM product experience that permanently shifts authentication responsibility from the Security Console to the Insight Platform. Security Console-based authentication sources like the one detailed on this page are not usable with InsightVM Platform Login.
If you intend to enable InsightVM Platform Login soon for your user account, feel free to skip the procedure detailed on this page and head over to the InsightVM Platform Login documentation for enablement instructions and information on what external authentication sources the Insight Platform supports.
The Security Console does not currently support "Round Robin" LDAP configurations.
Complete the following steps to configure an LDAP integration as an external authentication source.
Define an external authentication source
- Click the Administration tab.
- In the “Global and Console Settings” window, click Administer.
- On the “Security Console Configuration” screen, click the Authentication tab.
- Under “LDAP/AD Authentication Source Listing”, click the Add LDAP/AD Source button.
- Click the Enable authentication source checkbox.
- Enter a name for the source.
- In the “Server name” field, enter the exact DNS hostname of your AD server.
If you are unsure of the DNS hostname that you should use, you can locate it by running
nslookup in the command line.
Alternatively, free tools such as Softerra LDAP Browser can verify the DNS hostname for you.
- Enter a server port number.
Default LDAP port numbers are as follows:
Default Microsoft AD with Global Catalog port numbers are as follows:
- 3269 (SSL)
- If desired, specify LDAP authentication credentials.
Use the provided Username and Password fields to specify LDAP credentials in cases where your LDAP/AD server does not allow for an anonymous bind.
- If desired, check the Require secure communications (SSL) checkbox.
- If desired, specify permitted authentication methods. Multiple entries can be delimited with commas, semicolons, or spaces.
Simple Authentication and Security Layer (SASL) authentication methods for permitting LDAP user authentication are defined by the Internet Engineering Task Force in document RFC 2222 http://www.ietf.org/rfc/rfc2222.txt. The application supports the following methods:
* Note that the
SIMPLE authentication method is not compatible with Microsoft Active Directory. If you intend to configure an Active Directory server as your authentication source, use one of the following alternatives:
** We do not recommend using
PLAIN for non-SSL LDAP connections.
- If desired, check the Follow LDAP referrals checkbox.
LDAP referrals explained
As the application attempts to authenticate a user, it queries the target LDAP server. The LDAP and AD directories on this server may contain information about other directory servers capable of handling requests for contexts that are not defined in the target directory. If so, the target server will return a referral message to the application, which can then contact these additional LDAP servers. For information on LDAP referrals, see the following document LDAPv3 RFC 2251:
- If desired, specify a search base.
LDAP search bases explained
You can initiate LDAP searches at different levels within the directory. A search base is a specific part of the tree where the application will start the search. Example:
- Manually set attribute mappings, or click any of the available buttons to autofill the fields based on presets.
- Click Save.
The Authentication tab will now list your new LDAP authentication source. 16. Finally, click Save on the “Security Console Configuration” screen to finalize your authentication sources.
Create user accounts
With your external authentication source defined, you can now create accounts for your users.
- Click the Administration tab.
- In the “Users” window, click Create.
- On the “User Configuration” screen’s General tab, select your new authentication method from the dropdown list.
- Complete all fields as required.
Password fields are disabled when external authentication sources are selected. The Security console does not control, or allow for, password changes for users authenticated by external sources.
- Click Save when finished.