Recent disruptions to two undersea internet cables in the Baltic Sea have yet again...
3.6 User Management and User Directories
3.6.1 User Management #
NFA includes a User Management function accessible under Management main menu section,
that allows the following:
- review and filter the list of users
- edit and delete existing user records
- add new users
3.6.2 LDAP user directories #
LDAP user directories can be added, updated and removed from NFA by accessing Management > User Management. Each user directory takes a series of parameters specific for the protocol.
All operations with DNs (initial bind DN, group DNs, user names) are case insensitive and also strip redundant whitespace.
Refer to individual protocol documentation for how to correctly configure one or another user directory.
The example below offers a generic set of parameters required to configure NFA to use Active Directory for access management.
The general tab covers:
- User directory name – the name assigned to the directory within NFA
- User directory type
- State – a toggle to enable or disable a user directory,
- Order specifies when this user directory will be examined by NFA compared to other user directories
The server tab covers:
- User directory hostname in the form of either IP address or domain name (LDAP/LDAPS)
- User directory port
- SSL, TLS, or no encryption selector
- Certificate verification toggle and TLS CA Certificate file options in case the TLS encryption is selected
- The binding user name that NFA uses to authenticate itself
- Bind password assigned to NFA
The user schema tab covers:
- The Generic, LDAP POSIX, or Active Directory type selector
- Base DN specifies the root distinguished name and user subtree
- Object Class – an attribute that defines the characteristics of an object in the directory
- Object Filter – a search criterion used to find objects in the directory that match a specific set of attributes
- Username, Email, and Full Name fields map the User Directory attributes to NFA user attributes
The group schema tab covers:
- The Generic, LDAP POSIX, or Active Directory type selector
- Base DN specifies the root distinguished name and user subtree
- Object Class – an attribute that defines the characteristics of an object in the directory
- Object Filter – a search criterion used to find objects in the directory that match a specific set of attributes
- Group Identifier, Group Member Identifier, Member Identifier fields map the User Directory attributes to NFA user attributes
The role map tab covers:
- LDAP Group Role
- Internal NFA role (Admin / User)
3.6.3 TACACS+ user directories #
TACACS+ user directories can be added, updated and removed from NFA by accessing Management > User Management. User directory takes a series of parameters specific for the protocol.
The general tab covers:
- User directory name – the name assigned to the directory within NFA
- State – a toggle to enable or disable a user directory,
- Order specifies when this user directory will be examined by NFA compared to other user directories
The server tab covers:
- User directory hostname in the form of either IP address or domain name
- User directory port
- Encryption key
The group schema tab covers:
- The Service parameter
- The Argument Key
The role map tab covers:
- TACACS Group Role
- Internal NFA role (Admin / User)
