Authentication Using LDAP

Tenable Identity Exposure allows you to authenticate using Lightweight Directory Access Protocol (LDAP).

To enable LDAP authentication, you must have the following:

  • A preconfigured service account with a user and password to access the Active Directory.

  • A preconfigured Active Directory group.

After you set up LDAP authentication, the LDAP option appears in a tab on the login page.

To configure LDAP authentication:

  1. In Tenable Identity Exposure, click Systems > Configuration.

    The configuration pane appears.

  2. Under the Authentication section, click LDAP.

  3. Click the Enable LDAP authentication toggle to enabled.

    An LDAP information form appears.

  4. Provide the following information:

  • In the Address of the LDAP server box, type the LDAP server's IP address beginning with ldap:// and ending with the domain name and port number.

    Note: If you use an LDAPS server, type its address beginning with ldaps:// and ending with the domain name and port number. See the procedure To add a custom trusted Certificate Authorities (CA) certificate for LDAPS: to complete the configuration for LDAPS.
  • In the Service account use to query the LDAP server box, type the Distinguished Name (DN), SamAccountName, or UserPrincipalName that you use to access the LDAP server.

  • In the Service account password box, type the password for this service account.

  • In the LDAP search base box, type the LDAP directory that Tenable Identity Exposure uses to search for users who attempt to connect, beginning with DC= or OU=. This can be a root directory or a specific organizational unit.

  • In the LDAP search filter box, type the attribute that Tenable Identity Exposure uses to filter users. A standard attribute for authentication in Active Directory is sAMAccountname={{login}}. The value for login is the value that user provides during authentication.

  1. For Enable SASL bindings, do one of the following:

    • If you use SamAccountName for the service account, click the Enable SASL bindings toggle to enabled.

    • If you use the Distinguished Name or UserPrincipalName for the service account, leave the Enable SASL bindings as disabled.

  1. Under the Default Profile and Roles section, click Add an LDAP group to specify the groups allowed to authenticate.

    An LDAP group information form appears.

    • In the LDAP group name box, type the distinguished name of the group (example: CN=TAD_User,OU=Groups,DC=Tenable,DC=ad)

    • In the Default profile drop-down box, select the profile for the allowed group.

    • In the Default roles box, select the roles for the allowed group.

  1. If necessary, click on the icon to add a new allowed group.

  2. Click Save.

To add a custom trusted Certificate Authorities (CA) certificate for LDAPS:

  1. In Tenable Identity Exposure, click Systems.

  2. Click the Configuration tab to display the configuration pane.

  3. Under the Application Services section, click Trusted Certificate Authorities.

  4. In the Additional CA certificates box, paste your company's PEM-encoded trusted CA certificate for Tenable Identity Exposure to use.

  5. Click Save.

For more information about security profiles and roles, see: