The Threat Grid Applicance supports LDAP authentication and authorization for OpAdmin and
TGSH Dialog login.
You can authenticate multiple appliance administrators with different credentials that
are managed on the domain controller or the LDAP server. Authentication modes include:
System Password Only, System Password or LDAP, and LDAP Only.
There are three LDAP Protocol options: LDAP, LDAPS, and LDAP with STARTLS.
The following considerations should be reviewed:
The dual authentication mode (System Password or LDAP) is required to
avoid accidentally locking yourself out of the appliance when setting up LDAP.
Selecting LDAP Only is not allowed initially; you must first go through
dual mode to make sure it works. You will need to log out of OpAdmin after the
initial configuration, and then log back in using LDAP credentials in order to
toggle to LDAP Only.
You can only log into TGSH Dialog using LDAP if you are configured for LDAP Only
authentication. If authentication mode is set to System Password or LDAP, then
the TGSH Dialog login will only allow the System login.
If the appliance is configured for LDAP authentication only (LDAP Only),
then resetting the password in recovery mode will reconfigure the authentication
mode to allow login with system password as well.
Make sure that the authentication filter is set up to restrict membership.
TGSH Dialog and OpAdmin require LDAP credentials only in LDAP Only mode:
if LDAP only is configured, TGSH Dialog will not ask for the system
password but for an LDAP user/password.
If authentication is configured for System Password or LDAP, TGSH Dialog
will continue to ask for the system pw only, it'll not have both.
Troubleshooting LDAP: If it breaks, disable it by doing a password reset in
TGSH Dialog access via SSH: A system password or a configured SSH key is required
in addition to LDAP credentials for tgsh-dialog access via ssh when
in LDAP Only mode.
LDAP is outbound from the Clean interface.