Configuring authentication against Active Directory

New in version 1.5: Enterprise

Hint

Feature only available with WAPT Enterprise.

By default, the WAPT Server is configured with a single SuperAdmin account whose password is setup during initial post-configuration.

On large and security-minded network, this SuperAdmin account should not be used since it cannot provide the necessary traceability for administrative actions that are done on the network.

It is thus necessary to configure authentication against the Organization’s Active Directory for the Administrators and the Package Deployers; this will allow to use named accounts for administrative tasks.

Note

  • Active Directory authentication is used to authenticate access to the inventory via the WAPT Console;

  • however, all actions on the WAPT equipped remote devices are based on X.509 signatures, so an Administrator will need both an Active Directory login AND a private key whose certificate is recognized by the remote devices to manage his installed base of devices using WAPT;

  • only the SuperAdmin account and the members of the Active Directory security group waptadmins will be allowed to upload packages on the main repository (authentication mode by login and password);

Enabling Active Directory authentication

  • to enable authentication of the WAPT server on Active Directory, configure the file /opt/wapt/conf/waptserver.ini as follows:

    wapt_admin_group_dn=CN=waptadmins,OU=groupes,OU=tranquilit,DC=mydomain,DC=lan
    ldap_auth_server=srvads.mydomain.lan
    ldap_auth_base_dn=DC=mydomain,DC=lan
    ldap_auth_ssl_enabled=False
    

    Settings

    Value

    Description

    wapt_admin_group_dn

    CN=waptadmins,OU=groups,

    DN to the group name. All members of this group will be able to connect to WAPT

    ldap_auth_server

    srvads.mydomain.lan

    LDAP server that will be used by WAPT

    ldap_auth_base_dn

    DC=mydomain,DC=lan

    DN for the search

    ldap_auth_ssl_enable

    True/False

    Default value: True

  • restart waptserver with systemctl restart waptserver;

Warning

For Microsoft Active Directory, Microsoft has announced that SimpleBind authentication on MS-AD without SSL/TLS will be blocked by default from April 2020. If you don’t have a certificate installed, you’ll have to modify a registry key to have authentication working.

Note

By default Samba-AD does not allow SimpleBind authentication without SSL/TLS. If you do not have a valid certificate you’ll need to modify the ldap server require strong auth parameter in /etc/samba/smb.conf. For more information you may refer to Tranquil IT documentation on https://dev.tranquil.it/samba/en/index.html.

Enabling SSL/ TLS support for the LDAP connection to the Active Directory Domain Controller

By default, authentication on Active Directory relies on LDAP SSL (default port 646).

SSL/ TLS is not enabled by default on Microsoft Active Directory until a SSL certificate has been configured for the Domain Controller.

Note

The WAPT Server uses the Certificate Authority bundles from the operating system (CentOS) for validating the SSL/ TLS connection to Active Directory.

If the Active Directory certificate is self-signed or has been signed by an internal CA, you’ll need to add these certificates to the certificate store of CentOS.

Add a Certificate Authority in the /etc/pki/ca-trust/source/anchors/ and update the CA store.

cp cainterne.pem /etc/pki/ca-trust/source/anchors/cainterne.pem
update-ca-trust
  • once you have setup LDAP SSL/ TLS on your Active Directory (please refer to Microsoft documentation for that), then you can enable support for SSL/ TLS security for AD in /opt/wapt/conf/waptserver.ini:

    ldap_auth_ssl_enabled = True
    
  • restart waptserver with systemctl restart waptserver;