pholderness Absent Member.
Absent Member.

LDAP authentication to Framework Manager?

With the Advanced Authentication integration it appears that it is possible to use an LDAP data store for authentication into the Framework Manager without having a local account created. Is this correct? Is there any other way to achieve this same objective? All that I have read indicates that the closest that I can come to this is native mapping which allows the credential to come from LDAP, but there is still a local user defined. Am I missing something?

1 Reply
Micro Focus Expert
Micro Focus Expert

Re: LDAP authentication to Framework Manager?

A common approach to extending PAM to LDAP users is through LDAP Group Lookup, defined on the User Group in the Command Control Console. More details on this can be found below:

For example, I would create an LDAP Account Domain in the Credential Vault with a proxy ldap credential, and then I can link a cmdctrl user group to this ldap account domain and provide a regex or name that aligns to specific ldap group(s). Configuring a cmdctrl rule with this user group (mapped externally to ldap) will result in PAM doing a lookup to verify if the incoming user is a member of that group. No local account needs to be created within PAM for this capability. In this way, an external LDAP user can receive privileged access.

You may also integrate PAM with Advanced Authentication to extend the authentication capabilities to include various 2FA methods and be able to provide multi-domain support. PAM would rely on this for Authentication and 2FA requirements could be placed on particular rules, etc.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.