Warning: You are viewing an older version of this documentation. Most recent is here: 39.0.0

Authentication

Stamus Central Server provides two authentication methods, the default local database and LDAP (Active Directory), to authenticate users.

Local Authentication

By default, SCS users are authenticated on a local database.

The Manage Accounts menu under the Stamus Logo dropdown lets you manage users to:

  • create new accounts

  • edit existing accounts

  • delete existing accounts

  • reset passwords

  • specify account roles

Add/Create User

In order to Add/Create a New User: in the upper left corner click on Stamus Networks logo drop down icon -> Manage Accounts.

On the User Management page, in the Action panel -> click on Add.

Edit User

In order to edit an existing user: in the upper left corner click on Stamus Networks logo drop down icon -> Manage Accounts.

On the User Management Page, in the User list -> click on the Username of the user you wish to edit.

In the Actions panel -> click on Edit user.

Change User Password

In order to change user password: in the upper left corner click on Stamus Networks logo drop down icon -> Manage Accounts.

On the User Management Page, in the User list -> click on the Username of the user whose password you wish to change.

In the Actions panel -> click on Change user password.

Delete User

In order to delete a user: in the upper left corner click on Stamus Networks logo drop down icon -> Manage Accounts.

On the User Management Page, in the User list -> click on the Username of the user you wish to delete.

In the Actions panel -> click on Delete user.

User Permissions

There are three default roles as described below:

  • Active User is allowed to connect to SCS but has only read permission

  • Staff User can make changes in SCS (appliance/probe additions , ruleset push, …)

  • Superuser has Full Unrestricted Access, including editing user authentication settings and user creation in the local database.

In order to handle permission levels: in the upper left corner click on Stamus Networks logo drop down icon -> Manage Accounts.

On the User Management Page, in the User list -> click on the Username of the user whose permission levels you wish to change.

In the Actions panel -> click on Edit user and set permission levels by enabling/disabling the Active , Staff User and Superuser checkboxes.

Authentication (LDAP, local)

To turn one LDAP authentication, open Global Appliance Settings under the Stamus Logo dropdown and then select the Authentication tab.

To use Active Directory, you need a few things:

  • The Distinguished Name (DN) of an AD user and his associated password: this user is only used to do the initial query that try to find user to be logged in

  • The DN of three different groups in the AD that will be mapped to SCS internal groups

  • The base DNs to search users and groups

LDAP server URI is the URI of the LDAP server/Active directory server. It is in the form ldap://myad.domain.com:389 or ldaps://myad.domain.com.

If you use an LDAPS URI or enable STARTTLS then you need to select if you would like to verify the certificate or not. If you choose to verify/check that then you will probably have to upload a PEM certificate authority file corresponding to the one used in your AD. This can be done by clicking on Provide file for TLS certificate authority of LDAP server.

There are two options how you can configure LDAPS (example):

  • Use LDAP server URI ldap://myad.domain.com:389 and select Use STARTTLS command or

  • Use LDAP server URI ldaps://myad.domain.com and do not select Use STARTTLS command

Important

Importing mismatching certificate and key pair results in breaking Stamus Central Server. To fix this:

  • SSH on manager

  • launch _stamus_restore_default_certs as root (/usr/local/bin/_stamus_restore_default_certs)

This command will reset to default certificates

To confirm that the LDAP/S server connectivity and can be queried remotely you can try the following:

  • On a domain Windows PC or server

  • Search for and start the windows ldp tool

  • (for LDAPS) click Connection then fill in the full LDAP enabled server name (example) WINSERV-DC1-LDAPSenabled.myaddomain.com. Then port fill in port 636 and select the SSL check box then click OK

  • (for LDAP) same as above but do not select the SSL check box and fill in port 389

  • you should have no errors

The LDAP bind user parameters have to be filled with the DN and password of a functional user.

Example:

CN=Administrator,CN=Users,DC=myaddomain,DC=com

Note: The user does not need to be AD administrator.

The LDAP search settings must be filled in with two DNs pointing to the node in the LDAP tree containing the users (resp. the groups).

Example:

CN=Users,DC=myaddomain,DC=com

The LDAP groups mapping settings allow the user to define which groups in the AD give privilege in SCS:

  • DN of active group is the DN of a group containing all users allowed to connect to SCS

  • DN of staff group is the DN of a group containing all users that can act on SCS (appliances edition, ruleset push, …)

  • DN of superuser group is the DN of a group containing all users that can act on the local user handling

Example:

CN=SCSActive,CN=Users,DC=myaddomain,DC=com
CN=SCSStaff,CN=Users,DC=myaddomain,DC=com
CN=SCSAdmins,CN=Users,DC=myaddomain,DC=com

Note

The groups SCSAdmins and SCSStaff need to be part of the group SCSActive otherwise members will not have an active status and would not be able to log into SCS.

If Active Directory is chosen there is a fall back on local database but one should keep a user with admin privilege in the local database which username is not available/existing in the Active Directory. This way there is one access which is not depending on Active Directory.

After the configuration is submitted (via the Submit button at the bottom of the form), you need to click on apply changes on the left hand side panel under Action - to make it active.

You can get info about remote authentication by clicking on Stamus menu icon -> System Logs. The Authentication log contains information about the authentication attempt.

Here is a few information about the possible messages.

If you have a message similar to this one:

Caught LDAPError while authenticating regit: INVALID_CREDENTIALS({'info': '80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v23f0', 'desc': 'Invalid credentials'},)
Invalid login attempt for 'regit' from '192.168.1.137'

Then the bind parameter are not correct. The error is not on user side.

An invalid password entered by a correct user lead to:

search_s('CN=Users,DC=stamus,DC=com', 2, '(sAMAccountName=%(user)s)') returned 1 objects: cn=eric leblond,cn=users,dc=stamus,dc=com
Authentication failed for regit: user DN/password rejected by LDAP server.
Invalid login attempt for 'regit' from '192.168.1.137'

An attempt with a non existent login lead to:

search_s('CN=Users,DC=stamus,DC=com', 2, '(sAMAccountName=%(user)s)') returned 0 objects:
Authentication failed for gruick: failed to map the username to a DN.
Invalid login attempt for 'gruick' from '192.168.1.137'