LDAP Security on the GSA
Lightweight Directory Access Protocol (LDAP) is an application protocol for reading and editing directories over an IP network. Data is stored in entries, which build up a hierarchical, tree like structure. Each entry has a unique name (DN, Distinguished Name), which depicts its position within the tree. An entry consists of key/value pairs, the attributes
LDAP is used to authenticate users before returning secure search results. When a user connects to the Google Search Appliance and requests a search for secure results, the search appliance asks for credentials from the user. These credentials are then forwarded to the LDAP server for validation.
The search appliance tries to auto-detect the LDAP configuration settings. When the used LDAP is Active Directory the detection is successful. In case another LDAP is used, like Apache Directory Server, normally the detection fails hence the values have to be added manually. In order to do this, you can force the advanced settings to appear by clicking the Go to advanced settings page even if detection fails checkbox
Configuration
How to integrate the search appliance with an LDAP Server is described in: Integrating the Search Appliance with an LDAP Server
Enabling Group Lookup
The search appliance can be enabled to automatically look up group information for a user during authentication.
To enable group lookup:
- Click the Lookup a user's group information during Authentication whenever possible checkbox.
- Click Save LDAP Settings.
- Notice that the Group Search Filter value, under LDAP Settings has to be filled, if not, the search appliance will not send the group filter to LDAP to extract the group information.
Important:
- The appliance can be configured to use either LDAP or Kerberos, but not both.
- If the LDAP server does not support anonymous binds (an anonymous login for basic LDAP requests), you need a login on the LDAP server.
- The Google Search Appliance has an internal memory authorization cache to avoid wasting bandwidth and time verifying the same credentials multiple times. The cache remains active for an hour by default.
Kerberos Security on the GSA
Kerberos is a network authentication protocol that enables client and server applications to perform mutual authentication for the duration of a user's login session.
It is a silent authentication method where the users submit passwords once to access all services, typically during network logon. The user logs onto the network and receives a Ticket Granting Ticket (TGT) so the user’s client can authenticate itself with the Key Distribution Center (KDC) and obtain service tickets.
When the search appliance is configured to use IWA / Kerberos authentication, the search appliance checks the user's session ticket against a KDC before displaying secure search results to a user. For Windows servers, the domain controller acts as the KDC for Kerberos authentication.
Currently, Kerberos can only be used during serve time, Kerberos is only supported for crawling content in version 6.10.
General Concepts
- SPN - Service Principal Name: The name that defines a service in Kerberos.
- KDC - Key Distribution Center: The repository that clients use to get Kerberos tickets for services.
- TGT - Ticket Granting Ticket: A small, encrypted identification file with a limited validity period. After authentication, this file is granted to a user for data traffic protection by the key distribution center (KDC)
Verifying Kerberos is Working on Windows
- Log in to your domain and check for your TGT: in a command prompt execute klist tickets
- Open a browser and go to a Kerberized site and make sure you are not prompted
Configuration
Step 1: Configure the search appliance as a user in Active Directory
In Windows Server, as a domain controller administrator, a new object-user account for the search appliance needs to be created with these characteristics:
- Password never expires
- Account trusted for delegation across all services to allow the GSA to retrieve content service tickets on the user’s behalf using the user’s TGT.
- Encryption:
Step 2: Register the GSA Service Principal Name
The appliance has to be registered to the Service Principal Name. Execute the next command to register the GSA SPN:
setspn -a HTTP/FQDN_of_the_searchappliance GSA_USER
Step 3: Create a Keytab File
This file is encrypted and stored on the GSA during the configuration. It contains a private key for decrypting the GSA service tickets and validating users without contacting the KDC. The file has to be created with the following command:
ktpass -princ HTTP/FQDN_of_the_searchappliance@DOMAIN_NAME -mapuser DOMAIN_NAME\searchappliance_username -pass searchappliance_password -out filename.keytab -crypto DES-CBC-MD5 +DesOnly -ptype KRB5_NT_PRINCIPAL
Once the Keytab file is created it has to be valided. Use Kerberos Setup Validation Utility to check the Keytab file and GSA user configuration.
Step 4: Configure Web Browsers for Kerberos Authentication
Users who query the search appliance must have their web browsers configured to use Kerberos authentication. Below is described how to configure IE and Firefox:
Enabling Kerberos for IE
- Enable IWA under Internet Options > Advanced
- Under Security > Local Intranet
- In Sites, add HTTP/S URLs
- Under Custom Level > User Authentication > Logon, "Automatic logon only in Intranet zone" has to be selected.
Enabling Kerberos for Firefox
- Enter about:config in the address field
- Then, search for nego and add the following:
- negotiate-auth.delegation-uris – GSA
- negotiate-auth.trusted-uris – GSA and content server
- If you are using a Microsoft Windows domain controller and you are running Mozilla Firefox on Microsoft Windows, verify that network.auth.use-sspi is set to true, which is its default value.
Safari is not a supported browser because it doesn’t forward Kerberos tickets
Step 5: Configure Kerberos Authentication in the Admin Console
In Serving > Universal Login Auth Mechanisms, fill the Kerberos based form with the following parameters:
| Field | Value |
|---|---|
| Specify a Kerberos Key Distribution Center (KDC) / Windows Domain Controller (DC) | DOMAIN_NAME |
| Enable KDC DNS Lookup | Checked |
| Import a Kerberos Service Key Table ("keytab") File | Import the Keytab file generated in the above steps |
| Credential Group | Default |
| Enable Kerberos Support | Checked |
| Mechanism Name | Add the desired name |
Useful Links
- Kerberos Authentication Documentation
- Kerberos Troubleshooting
- How The Google Search Appliance uses Kerberos to Authenticate Users and to Authorize Users to See Content
SMB Configuration
An authentication rule instructing the crawler how to authenticate when crawling the protected content has to be created. An authentication rule consists of a URL pattern matching the protected files, username, domain (if using NTLM or Kerberos), and password. Using the Make Public checkbox, will allow users to get results on both the public content (normally available to everyone) and the secure (confidential) content.
To set options for crawling secure content:
- Click Crawl and Index > Crawler Access.
- Under Users and Passwords for Crawling, enter the URLs Matching Pattern, the username, the domain (if using NTLM or Kerberos), and the password and confirmation in the text boxes.
- Click the Save Crawler Access Configuration button.
- In Crawl and Index >Crawl URLs add the the directories (Use the fully qualified name when adding the directories otherwise the text version of the documents won't be available for each file share search result)
Remember
- In order to access the right way in the folders first set the users that will have access to each folder and AFTER that, share the folder, if you share the folder and then set the permissions you will get some security issues.
- If you change some folder permissions there is no need to re-crawl.
Overview
Content Tools