Title: Enabling LDAP Authentication with X.509 Client Certificates
If your users have X.509 certificates installed in their browsers and
you are using the LDAP user directory and your LDAP server contains certificates
for your users, you can have the users authenticated to Traction based
on their certificate with no login required.
To set this up, you must first Enabling HTTPS with Required X.509 Client Certificates. Once you do this, additional options
appear on the User Directory configuration page that allow you to configure
LDAP authentication.
Limitations
If you run in this mode, only users with a valid certificate matching
the one stored in LDAP will be able to log in. You can not create Traction-only
users (users without an LDAP profile).
Also, using this configuration you can not log in as Owner A special Traction account that can be enabled with a special license
that allows you to get Server Administrator access to your server. This
can be used if you have locked yourself out of the server due to a configuration
error or forgotten password.
without switching the user directory or disabling X.509 based authentication,
which may require shutting down the server and editing a configuration
file.
Procedure
After you have configured TLS with X.509 Certificates, select the login
method X.509 Client Certificates from the Login Method listed under Advanced
Settings.
Note: If you are not already
connected via TLS with Client Certs, you will no be allowed to select
this option and will see the following error:
Advanced Configuration
When Traction is presented with a user's X.509 Client Certificate, it
attempts to find a matching certificate in LDAP. To do this, it uses the
search expression configured in the LDAP
Searches section, where the {}'s are substituted with values from
the certificate. If several results are returned, it attempts to compare
the presented certificate with a certificate in each of those LDAP entries.
When a match is found, the user is authenticated and associated with that
account.
X.509 Client Certificate Search Expression
You can control the search expression that is used to look up the users
in the LDAP directory with certificates that match the one presented by
the browser. This
allows you to constrain the number of certificates that must be compared
for equality.
Client Certificate Attribute
The above search will result in a list of matching LDAP records. This
option lets you determine which attribute contains the client certificate
to be used for comparison.
Troubleshooting
In the event of a name collision, revoked certificate, or a mismatch
between the presented certificate and the one stored in LDAP, the user
attempting to connect will see the following message:
For more details, a Traction administrator can examine the Traction
log file. For
information on examining log files, see the section Troubleshooting Using the Log File Viewer.
In the above message, we see that there are different users with the
same CN in LDAP. Because Traction defaults to using the CN for the Traction
account name, there is an ambiguity that must be resolved. The
first user that logs in will have the account created for them. When
a second user with the same CN attempts to log in, they will get this
error. To
allow an account to be created for the second user, Personal Information. After the second user has logged
in, rename their account. Note that neither user can use the conflicting
name.
