Title: Enabling LDAP Authentication with X.509 Client Certificates

If your users have X.509 certificates installed in their browsers and you are using the LDAP user directory and your LDAP server contains certificates for your users, you can have the users authenticated to Traction based on their certificate with no login required.

To set this up, you must first Enabling HTTPS with Required X.509 Client Certificates. Once you do this, additional options appear on the User Directory configuration page that allow you to configure LDAP authentication.

Limitations



If you run in this mode, only users with a valid certificate matching the one stored in LDAP will be able to log in. You can not create Traction-only users (users without an LDAP profile).

Also, using this configuration you can not log in as Owner A special Traction account that can be enabled with a special license that allows you to get Server Administrator access to your server. This can be used if you have locked yourself out of the server due to a configuration error or forgotten password. without switching the user directory or disabling X.509 based authentication, which may require shutting down the server and editing a configuration file.

Procedure



After you have configured TLS with X.509 Certificates, select the login method X.509 Client Certificates from the Login Method listed under Advanced Settings.



Note: If you are not already connected via TLS with Client Certs, you will no be allowed to select this option and will see the following error:



Advanced Configuration



When Traction is presented with a user's X.509 Client Certificate, it attempts to find a matching certificate in LDAP. To do this, it uses the search expression configured in the LDAP Searches section, where the {}'s are substituted with values from the certificate. If several results are returned, it attempts to compare the presented certificate with a certificate in each of those LDAP entries. When a match is found, the user is authenticated and associated with that account.

X.509 Client Certificate Search Expression



You can control the search expression that is used to look up the users in the LDAP directory with certificates that match the one presented by the browser. This allows you to constrain the number of certificates that must be compared for equality.



Client Certificate Attribute



The above search will result in a list of matching LDAP records. This option lets you determine which attribute contains the client certificate to be used for comparison.



Troubleshooting



In the event of a name collision, revoked certificate, or a mismatch between the presented certificate and the one stored in LDAP, the user attempting to connect will see the following message:



For more details, a Traction administrator can examine the Traction log file. For information on examining log files, see the section Troubleshooting Using the Log File Viewer.



In the above message, we see that there are different users with the same CN in LDAP. Because Traction defaults to using the CN for the Traction account name, there is an ambiguity that must be resolved. The first user that logs in will have the account created for them. When a second user with the same CN attempts to log in, they will get this error. To allow an account to be created for the second user, Personal Information. After the second user has logged in, rename their account. Note that neither user can use the conflicting name.





Attachments:
image741.jpg
image740.jpg
image816.gif
image815.gif
image742.jpg
image817.gif
Related Articles
parents (1)
Doc1128: Configuring HTTPS and X.509 Certificates
referenced by (2)
Doc351: Installation and Configuration Guide (via Enabling LDAP Authentication with X.509 Client Certificates)Doc92: Enabling Certificate Mapping (via Enabling LDAP Authentication with X.509 Client Certificates)
Article: Doc94 (permalink)
Date: March 22, 2008; 3:57:45 PM Eastern Daylight Time

Author Name: Documentation Importer
Author ID: importer