Authentication Against Active Directory

Published on September 16, 2013

Securonix has the ability to authenticate against a single domain. The authentication configuration are to be made to the ldap-config.properties file available in the securonix_home/conf directory.

The securonix system currently authenticates against a single domain and does not support authentication against multiple domains.

Make the following changes to the ldap-config.properties file

  • Change/Edit the following parameters in securonix_home/conf/ldap-config.properties

managerDn = <the username=”” used=”” for=”” authenticating=”” against=”” ad=””> managerPassword = <the password=”” used=”” for=”” authenticating=”” against=”” ad=””> grails.plugins.springsecurity.ldap.context.server = <ldap url=””>(ex: ldap://xx.xx.xx.xx:389 or ldaps://xx.xx.xx.xx:636) grails.plugins.springsecurity.ldap.authorities.groupSearchBase = <group search=”” base=””> grails.plugins.springsecurity.ldap.search.base = <user search=”” base=””>

  • Add the following line to the ldap-config.properties file grails.plugins.springsecurity.ldap.authorities.groupSearchFilter=member={0}
  • Add the userid(same as AD login) in Securonix application, and provide the appropriate access controls In the configuration file the system by default looks at the sAMAccountName and uses the users sAMAccountName to log into the Securonix Application. This can be changed by changing the grails.plugins.springsecurity.ldap.search.filter=sAMAccountName={0} from sAMAccountName to cn, dn or other distinguishable value as per requirement
  • If local user authentication has to be enabled: Comment the following line. Else, authentication will only be against AD. Uncomment it to authenticate only against AD. grails.plugins.springsecurity.providerNames = ldapAuthProvider

To Debug the errors faced make the following changes to the log4j.properties files log4j.logger.org.springframework.security=DEBUG

Note: If there are multiple domains to be configured, request for a virtual directory to be created which has the entire list of users. Use the credentials of the virtual directory in the ldap-config.properties files