October 25th, 2017 Engineering How to Configure Open-AudIT to use Active Directory for User Authentication and Authorization By Mark Unwin - Open-AudIT Founder and Product Lead Introduction Open-AudIT can use Active Directory (AD) to provide user authentication and optionally authorization. Using AD for authentication only means the user must exist within Open-AudIT and AD is used to simply verify the user’s username and password. If we go to the next step and configure authorization, then Open-AudIT will assign Roles and Orgs to the user, based on that user’s AD group membership. We must create our AD groups based on the names provided for Roles and Orgs. The default Roles group names are: open-audit_roles_admin open-audit_roles_org_admin open-audit_roles_reporter open-audit_roles_user The default Orgs group name is: open-audit_orgs_default_organisation Creating the groups in AD and assigning users to them will enable complete user management from with Active Directory, as opposed to Open-AudIT itself. We have a quick video showing the configuration, here: Enabling To enable AD (or, for that matter OpenLDAP) user auth, create a new LDAP Server within Open-AudIT. Go to menu -> Admin -> LDAP Servers -> Create. As with all resources, a name for the entry is required. The other essential items to complete are the host, the domain, and the base DN. The host is the IP (or resolvable name) of the Domain Controller you would like Open-AudIT to communicate with. The domain is self-explanatory and the Base DN is the area of AD Open-AudIT will search to determine the user and groups. In order to enable authorization in addition to authentication, the value “Use LDAP for Roles” to ‘y’. It is set to ‘n’ by default. The DN Account and DN Password are only required if your AD users cannot search your AD. By default, AD users can search AD to unless you have changed that, these items are not required to be populated. Once you have populated the required fields, click Submit and an LDAP Server will be created. If you are using Open-AudIT Professional or Enterprise and you enable LDAP and you wish for user accounts to be automaticallly created at logon, you must edit the (text) file: Linux – /usr/local/omk/conf/opCommon.nmis Windows – c:\omk\conf\opCommon.nmis And ensure that auth_method_1 is set to openaudit. Testing To test if it is working, log out from Open-AudIT and log in as an AD user that is a member of the required groups. If this doesn’t work, try logging in to Community as that user. If this fails some information should be shown as to the reason why (this is coming for Pro/Enterprise). The user should be created by Open-AudIT and logged on. The user’s email is also auto-populated from their AD attributes. Further Items If you create additional Roles or Orgs, they will have an AD group name auto-created for them. Add these groups into AD and put your users in them. Once a user logs on, their Roles and Orgs will be updated to reflect this. To prevent a user from logging in to Open-AudIT, simply remove them from the AD groups. The user will NOT be removed from Open-AudIT. The application administrator should do this as part of their duties. Don’t forget that if you create an Org and a user has permission on that Org, then that user also has permission on all of the descendants of that Org. IE – If you have a user that has permission on the Default Org, they will automatically have permission on every other Org that is created. New Roles can be created if you are an Enterprise licensee however, the default Roles should cover the vast majority of use-cases, as shipped.