TOC & Recently Viewed

Recently Viewed Topics

LDAP Servers

Path: Resources > LDAP Servers

Configuring LDAP allows you to use one or more external LDAP servers for SecurityCenter user account authentication. LDAP authentication is a method of single sign-on and enhances the security of SecurityCenter by inheriting password complexity requirements from environments mandated by security policy.

You can also use configured LDAP servers as LDAP query assets. For more information, see Assets.

Configure the LDAP settings as directed by your LDAP server administrator. Click Test LDAP Settings to validate the connection.

Option

Description

Server Settings

Name A unique name for the LDAP server.
Description (Optional) A description for the LDAP server.

Hostname

The IP address or DNS name of the LDAP server.

Port

The remote LDAP port. Confirm the selection with your LDAP server administrators.

  • When Encryption is None, Port is typically 389.
  • When Encryption is TLS or LDAPS, Port is typically 636.

Encryption

(Optional) If the LDAP server encrypts communications, the encryption method: Transport Layer Security (STARTTLS) or LDAP over SSL (LDAPS).

Username / Password

(Optional) If required by the server, the username and password for an account on the LDAP server with credentials to search for user data. For example, Active Directory servers require an authenticated search.

Format the username as provided by the LDAP server.

Tip: It is recommended to use passwords that meet stringent length and complexity requirements.

LDAP Schema Settings

Base DN

The LDAP search base used as the starting point to search for the user data.

User Object Filter

(Optional) The string you want to use to create a search based on a location or filter other than the default search base or attribute.

User Schema Settings (Optional, if you plan to use the LDAP server only as an LDAP query asset.)

Username Attribute The attribute name on the LDAP server that contains the username for the account. This is often specified by the string sAMAccountName in Active Directory servers that may be used by LDAP. Contact your LDAP administrator for the correct value.

E-mail Attribute

The attribute name on the LDAP server that contains the email address for the account. This is often specified by the string mail in Active Directory servers that may be used by LDAP. Contact your LDAP administrator for the correct value.

Phone Attribute

The attribute name on the LDAP server that contains the telephone number for the account. This is often specified by the string telephoneNumber in Active Directory servers that may be used by LDAP. Contact your LDAP administrator for the correct value.

Name Attribute

The attribute name on the LDAP server that contains the name associated with the account. This is often specified by the string CN in Active Directory servers that may be used by LDAP. Contact your LDAP administrator for the correct value.

Access Settings

Organizations The SecurityCenter organizations you want to authenticate using this LDAP server.

Advanced Settings

Lowercase

When enabled, SecurityCenter modifies the usernames sent by the LDAP server to use only lowercase characters.

Tenable™ recommends keeping this option disabled.

DNS Field

The LDAP server parameter used in LDAP server requests to filter the returned asset data.

Tenable™ recommends using the default value provided by SecurityCenter.

Time Limit

The number of seconds you want SecurityCenter to wait for search results from the LDAP server.

Tenable™ recommends using the default value provided by SecurityCenter.

Note: Access to Active Directory is performed via AD’s LDAP mode. When using multiple AD domains, LDAP access may be configured to go through the Global Catalog. Port 3268 is the default non-SSL/TLS setting, while port 3269 is used for SSL/TLS connections by default. More general information about LDAP searches via the Global Catalog may be found at: http://technet.microsoft.com/en-us/library/cc728188(v=ws.10).aspx.

To add an LDAP server connection:

  1. Log in to SecurityCenter using an Administrator account.
  2. Click Resources > LDAP Servers.
  3. Click Add.
  4. Type Server Settings, LDAP Schema Settings, User Schema Settings, and Access Settings as described in the options table.
  5. If necessary, modify the default Advanced Settings.
  6. Click Test LDAP Settings to validate the LDAP server connection.
  7. Click Submit.

To delete an LDAP server connection:

Note: If you delete a connection to an LDAP server, the users associated with that server cannot log in to SecurityCenter. Tenable™ recommends reconfiguring associated user accounts before deleting LDAP server connections.

  1. Log in to SecurityCenter using an Administrator account.
  2. Click Resources > LDAP Servers.
  3. Click the gear icon next to the server connection you want to delete.
  4. Click Delete.

    The Delete LDAP Server confirmation window appears.

  5. Click Delete.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.