Articles in this section

See more

How do I add users to Lighthouse?

Robert Waldie
  • Updated
Follow

Once you have created user Groups to set permissions, you must assign permissions to users by adding them to these Groups. Users may either be Local (configured on Lighthouse) or Remote (configured on an external AAA server).

Local Users

  • Login to Lighthouse as a Lighthouse Administrator User
  • Click Settings -> User Management -> Local Users
  • Click + to Add User

Username: Enter a POSIX-style name (must only contain lower case alphanumeric, dash and underscore characters) for the User, for example myadmin
Description: Enter an optional description
Password / Confirm Password: Enter a secure password in accordance to your organization’s security policies
Group Memberships: Select the User Groups to add this User to
User Enabled: Check

  • Click Save User

Remote Users

When your AAA server responds to a successful authentication with a list of groups, the remote user is added to these groups. Each server type varies slightly in how the list of groups is configured.

  • Login to Lighthouse as a Lighthouse Administrator User
  • Click Settings -> User Management -> Remote Authentication
  • Select your AAA server type

TACACS+

On Lighthouse, enter the Remote Authentication Server Address and Port, click + to add multiple servers. Enter the Server Password and Confirm.

On your TACACS server, add the group name or comma separated list of groups in custom attribute called "groupname" to the "raccess" service. Click here for instructions on how to do this using Cisco ACS, or see below for a tac-plus config snippet:

user = myadmin {
    service = raccess {
        groupname = cbgadmin
    }
}

RADIUS

On Lighthouse, enter the Remote Authentication Server Address and Port, click + to add multiple servers. Optionally define Remote Accounting Server(s). Enter the Server Password and Confirm.

On your RADIUS server, add the group name or comma separated list of groups as "group_name" inside the "Framed-Filter-Id" attribute, see below for FreeRADIUS config snippet:

myadmin Auth-Type := System
        Framed-Filter-Id = ":group_name=cbgadmin:"

Ensure this setting is surrounded with colon characters.

Note: Auth-Type := System is no longer supported in FreeRADIUS 3.x

LDAP

On Lighthouse, enter the Remote Authentication Server Address and Port, click + to add multiple servers. Enter the Base DN to use (for example dc=my-company,dc=com) and the Bind DN to authenticate the server connection as (for example cn=server-admin,dc=my-company,dc=com). Enter and Confirm the Password of the Bind DN.

On your LDAP server:

  • Active Directory: Add each group's distinguished name as a "memberOf" attribute.
  • OpenLDAP: We use the POSIX schema, i.e. query the group name matching the remote user's "gidNumber" and any additional "posixGroups" with a "memberUid" matching the user's remote "uid".

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk