LDAP Authentication

Adding LDAP servers allows you to use one or more external LDAP servers for Tenable Security Center user account authentication. LDAP authentication enhances the security of Tenable Security Center by inheriting password complexity requirements from environments mandated by security policy.

After you configure an LDAP server, create Tenable Security Center user accounts for each LDAP user you want to grant access.

Then, users with LDAP-authenticated accounts can log in to Tenable Security Center using the Sign In Using Identity Provider button, as described in Log In to the Web Interface.

You can also use configured LDAP servers as LDAP query assets. For more information, see Assets.

Note: Tenable Security Center does not support Microsoft Active Directory Lightweight Directory Services (AD LDS) servers for LDAP authentication.

Note: Tenable Security Center cannot retrieve more than one page of LDAP results. If Tenable Security Center asset list or user authentication queries are not retrieving all expected results, consider modifying your LDAP pagination control settings to increase the results per page.

For more information, see Add an LDAP Server and Delete an LDAP Server.

LDAP Authentication Options

Configure the LDAP settings as directed by your LDAP server administrator. Click Test LDAP Settings to validate the connection.

Option

Description

Server Settings

Name (Required) A unique name for the LDAP server.
Description A description for the LDAP server.

Hostname

(Required) The IP address or DNS name of the LDAP server.

Port

(Required) The remote LDAP port. Confirm the selection with your LDAP server administrators.

  • When Encryption is None, Port is typically 389.
  • When Encryption is TLS or LDAPS, Port is typically 636.

Encryption

If the LDAP server encrypts communications, the encryption method: Transport Layer Security (STARTTLS) or LDAP over SSL (LDAPS).

Username / Password

(Required) The username and password for an account on the LDAP server with credentials to search for user data. For example, Active Directory servers require an authenticated search.

Format the username as provided by the LDAP server.

Tip: It is recommended to use passwords that meet stringent length and complexity requirements.

User Provisioning

You can enable user provisioning to automatically create LDAP-authenticated users in Tenable Security Center by importing user accounts from your LDAP identity provider. When user provisioning is enabled, users who log in to your LDAP identity provider are automatically created in Tenable Security Center.

Tenable Security Center supports the following LDAP authentication systems for user provisioning:

  • Active Directory on Microsoft Server 2016 (on-premises)

  • Active Directory on Microsoft Server 2019 (on-premises)

For more information, see LDAP User Provisioning.

Note: If you want to delete a Tenable Security Center user that was created via LDAP user provisioning, delete the user from your LDAP identity provider. If you delete a user in Tenable Security Center that was created via LDAP user provisioning without deleting the user in your LDAP identity provider, Tenable Security Center automatically re-creates the user in Tenable Security Center the next time they log in using your LDAP identity provider.

User Data Sync

If you enable User Provisioning, you can enable User Data Sync to allow Tenable Security Center to automatically synchronize contact information (first name, last name, email address, and phone number) from your LDAP identity provider for Tenable Security Center users created via LDAP user provisioning. For more information, see LDAP User Provisioning.

Note: If you want to edit a Tenable Security Center user that was created via LDAP user provisioning and you enabled User Data Sync, edit the user in your LDAP identity provider. Otherwise, the Tenable Security Center user data synchronization overwrites your changes the next time the user logs in to Tenable Security Center using your LDAP identity provider.

LDAP Schema Settings

Base DN

(Required) The LDAP search base used as the starting point to search for the user data.

User Object Filter

The string you want to use to create a search based on a location or filter other than the default search base or attribute.

User Schema Settings (Optional, if you plan to use the LDAP server only as an LDAP query asset.)

Username Attribute The attribute name on the LDAP server that contains the username for the account. This is often specified by the string sAMAccountName in Active Directory servers that may be used by LDAP. Contact your LDAP server administrator for the correct value.

E-mail Attribute

The attribute name on the LDAP server that contains the email address for the account. This is often specified by the string mail in Active Directory servers that may be used by LDAP. Contact your LDAP server administrator for the correct value.

Phone Attribute

The attribute name on the LDAP server that contains the telephone number for the account. This is often specified by the string telephoneNumber in Active Directory servers that may be used by LDAP. Contact your LDAP server administrator for the correct value.

Name Attribute

The attribute name on the LDAP server that contains the name associated with the account. This is often specified by the string CN in Active Directory servers that may be used by LDAP. Contact your LDAP administrator for the correct value.

Access Settings

Organizations The Tenable Security Center organizations you want to authenticate using this LDAP server.

Advanced Settings

Lowercase

When enabled, Tenable Security Center modifies the usernames sent by the LDAP server to use only lowercase characters.

Tenable recommends keeping this option disabled.

DNS Field

The LDAP server parameter used in LDAP server requests to filter the returned asset data.

Tenable recommends using the default value provided by Tenable Security Center.

Time Limit

The number of seconds you want Tenable Security Center to wait for search results from the LDAP server.

Tenable recommends using the default value provided by Tenable Security Center.

Note: Access to Active Directory is performed via AD’s LDAP mode. When using multiple AD domains, LDAP access may be configured to go through the Global Catalog. Port 3268 is the default non-SSL/TLS setting, while port 3269 is used for SSL/TLS connections by default. More general information about LDAP searches via the Global Catalog may be found at: http://technet.microsoft.com/en-us/library/cc728188(v=ws.10).aspx.