WUI - How to use Remote User Groups for WUI Authorization with LDAP Authentication
The purpose of this article is to provide a solution for allowing LoadMaster WUI users to be authorized through Remote User Groups and authenticated using LDAP. For WUI authentication using LDAP and Local User Authorization, see this Knowledge Base Article.
Ensure that the LDAP WUI Authentication settings are configured correctly as well as the LDAP Endpoint before following the steps below. Local users are not required as a pre-requisite for this solution. In addition, ensure you have a group created on your Active Directory with all the appropriate users added to that group.
Step 1: Create the Remote User Group by navigating to System Configuration > System Administration > User Management > Remote User Groups.
- Enter the Group Name.
- Click Add Group.
Figure 1.1 - Adding a new remote user group.
Note: The group name entered here must match the exact group name specified on the active directory.
Step 2: Select permissions for the remote user group. It is now required to assign the authorized WUI permissions for the users part of this new group.
- Click Modify on the new group.
- Select the respective checkboxes for individual permissions or select the All Permissions checkbox for full access.
- Click the Set Permissions button.
Figure 1.2 - Setting the permissions for the new remote user group.
Step 3: Add the remote user group to the LDAP WUI AAA service. The remote user group is now ready to be added to the LDAP WUI AAA service.
- Navigate to Certificates & Security > Remote Access > WUI Authorization Options > LDAP-Remote User Groups.
- Click the Select groups button.
- Select the checkbox that corresponds to the new remote user group.
- Click the Apply Selected Groups button.
Figure 1.3 - Select the groups for the LDAP WUI AAA service.
Figure 1.4 - Select the checkbox for the Remote User Group and click Apply Selected Groups.
After completing the prerequisites and steps above, it is possible to test if a user from the active directory can authenticate successfully.
Step 4: Navigate to Certificates & Security > Remote Access > WUI Authorization Options > Test AAA for User
- Enter the Username in UPN format (email@example.com)
- Enter the Password for this user
- Click Test User
Figure 1.5 - Sample Test AAA for User.
Depending on the outcome of the Authentication test, one of the following browser popups will be visible:
Figure 1.6 - Authentication test succeeded.
Figure 1.7 - Authentication test failed.
The system message file may give some hints to why this user is failing the Authentication test.
Navigate to System Configuration > Logging Options > System Log Files > System Message File.
For example, the user tested was not in the specified remote user group set on the active directory:
Aug 22 14:39:40 USHA1 validuser: do_check_group: user not in allowed group Aug 22 14:39:40 USHA1 validuser: group_processing: Blocked access - user not in approved groups
Alternatively, test by logging out of the LoadMaster and log back in with the LDAP user (user@domain..com) and password.