Configuring LDAP authentication

Kaspersky CyberTrace supports LDAP user authentication to allow user authentication in Kaspersky CyberTrace Web under a domain account. This section explains how to configure this type of authentication. For LDAP connection settings parameters, see the configuration reference.

Kaspersky CyberTrace supports the use of Active Directory® only if the domain controller is running Windows. The use of Active Directory with Linux-based domain controllers is possible, but not guaranteed.

The root certificate of the Active Directory server should be located in the system store of the operating system where Kaspersky CyberTrace is installed.

The LDAP users tab of the Settings → Users page allows you to perform the following actions:

• Enable LDAP authentication
• Specify connection settings
• Test the connection to the LDAP server
• Configure accounts filtering

Enabling LDAP authentication

To enable LDAP authentication:

1. Click the LDAP settings button.
2. In the LDAP settings window that opens, enable the Enabled toggle switch.

The LDAP server will now be used for user authentication.

When LDAP authentication is enabled, you still can interact with Kaspersky CyberTrace under a local user account.

Connection settings

In the Connection settings section of the LDAP settings page, you can specify the following settings:

• IP address or FQDN (fully qualified domain name), and port of the LDAP server

  Use the global catalog ports to connect to the LDAP server: port 3268 for StartTLS, as well as for connection without encryption; and port 3269 for TLS.

• SSL-secured connection

  You can enable the use of a secure connection to the LDAP server by selecting SSL/TLS or STARTTLS by using Kaspersky CyberTrace Web. The SSL/TLS protocol is selected by default.

  On Linux, when connecting to the LDAP server, Kaspersky CyberTrace verifies the certificates.

  The folder with the certificates /etc/ssl/certs contains a symbolic link to the root certificate. The name of the link contains a hash of the certificate. Also, it is required that the folder contains symbolic links to all certificates. Otherwise, even if the chain of certificates is available in the /etc/ssl/certs folder, the connection will not be enabled.

  If running on Linux deb, the certificate name format is set by the update-ca-certificates utility.

  If running on Linux rpm, the certificate name format is set manually by the user by using the openssl x509 -in YOUR_CERT_FILE -hash –noout command.

  If secure connection is enabled, Kaspersky CyberTrace uses certificates from /etc/ssl/certs to authenticate the LDAP server.

• Path to the LDAP database

  The path to the database containing user accounts that can access Kaspersky CyberTrace.

  The value must begin with dc=.

Testing the connection to the LDAP server

Go through the procedure below to make sure that a connection to the LDAP server is established.

To test the connection to the LDAP server:

1. Click the Test connection button.

   The Test connection with LDAP window opens.

2. Specify the following settings:
   • User name for test connection
   • User password for test connection
3. Click Test.

A connection test can be performed only if you specified all the necessary settings for connecting to the server.

Account filtering

The Account filtering section contains filtering rules for administrator and analyst accounts.

You can configure the following properties:

• Account format

  You can select one of two formats:

  • User Principal Name (user)

    If this option is selected, users must provide a user name that is not an email address when performing authentication (for example user, but not user@domain.com).

  • sAM Account Name (Domain\\User)

    If this option is selected, users must provide a user name in the following format when performing authentication: Domain\User.

• Filter for administrators

  The filter for LDAP user accounts that defines which users must be assigned the Administrator role, depending on their common name in Active Directory.

  If this value is not specified, no users can log in by using LDAP authentication and be assigned the Administrator role.

• Filter for analysts

  The filter for LDAP user accounts that defines which users must be assigned the Analyst role, depending on their common name in Active Directory.

  If this value is not specified, no users can log in by using LDAP authentication and be assigned the Analyst role.

  As an example, in the figure below the filters are configured so that the users who are members of the Admins group will be assigned the Administrator role, and the users who are members of either the Operators or the Analysts group will be assigned the Analyst role.

  

  Example of accounts filters

If the AdministratorAccountsFilter and AnalystAccountsFilter elements of the kl_feed_service.conf file contain values, and the user that is trying to log in is not included in any of the specified groups, Kaspersky CyberTrace will return an error and deny access to the web user interface for this user.

Account filtering for tenants

The Account filtering for tenants section contains filtering rules for tenant manager and analyst accounts for tenants added to Kaspersky CyberTrace.

For each tenant, you can configure the following properties:

• Filter for tenant managers

  The filter for LDAP user accounts that defines which users must be assigned the Tenant manager role, depending on their common name in Active Directory.

  If the value is not specified, no user has this role for the selected tenant.

• Filter for analysts

  The filter for LDAP user accounts that defines which users must be assigned the Analyst role, depending on their common name in Active Directory.

  If the value is not specified, no user has this role for the selected tenant.

Page top