Required LDAP settings for the SSMC X.509 two-factor solution

In addition to the common LDAP configuration requirements, two-factor authentication requires additional LDAP settings. You can find these settings in the Advanced Options area of the Create LDAP Configuration and Edit LDAP Configuration screens in the SSMC Main Console. See the HPE SSMC Online Help for additional details.

  • Service account settings – Specifies a user name and password for a Service Account user. Two-factor authentication requires a proxy user called the Service Account to authenticate and authorize LDAP users. The Service Account LDAP username is the full bind DN. Required permission includes read permission for the user and group subtrees.

  • X509 Authentication – Identifies the Certificate field and the LDAP Attribute.

    • The Certificate field identifies which certificate field the system will use as the user ID. It can be either subject or subjectAlt.

      • The subject field uses a subject attribute. For example: A certificate subject of DN E=user@example.com,OU=Engineering,O=Example Corp indicates that one of the following values use the email address field as user identifier: subject:E* or subject:E*,OU,O.

      • The subjectAlt field uses an encoding type, which defaults to rfc822Name. This encoding type refers to an email address.

        When the encoding type is otherName, Principal Name (OID 1.3.6.1.4.1.311.20.2.3) value is expected.

    • The LDAP attribute field identifies which attribute of the LDAP entry to match against the user identifier. The attribute used varies depending on the overall LDAP schema and use case. For example: If the ldap-2FA-cert-field attribute is set to subject:E*, the user identifier is an e-mail address and the corresponding LDAP attribute is mail.