Failing Report Uploads to LDAP-Enabled Dashboard

Owned by Allan Cornwell, created
Last updated: Dec 26, 2023 by Amanda McGown
3 min read

Product Name

CIS-CAT Pro Dashboard

Product Version

v3.0.0+

Date

Dec 6, 2023

 

Problem

When the LDAP authentication feature is used in CIS-CAT Pro Dashboard, automatic report uploads from CIS-CAT Pro Assessor return an Authentication failure (401) error.

-or-

A previously valid upload token generated for the apiuser account no longer works after enabling LDAP.

Solution

Enabling LDAP disables all local user accounts and their associated functionality while the feature is active. This includes the built-in apiuser account and any associated tokens:
Active Directory - LDAP/S (Optional Custom Option) - Windows - CIS-CAT Pro Dashboard Document Library

To use the report upload functionality when LDAP authentication is in effect, please create a dedicated Dashboard API account in AD and generate a new token with this user. The steps to do so are as follows:

1

Create a new AD user account under your Dashboard users OU with a preferred name (such as first name “CIS-CAT Pro Dashboard”, last name “API” and username dbapi as example).

  • Ensure this account has the Email field in its AD profile populated; the address used for this account does not need to be valid (and can be a placeholder such as dbapi@notareal.email) - the field cannot be empty however.

  • Assign this new AD account as a member of just the CCPD_API Security Group
    (not CCPD_USER or CCPD_ADMIN, as the API role is exclusive)

2

Log into Dashboard with this new dbapi user account and its selected password. This will create a corresponding entry for this LDAP account in the Dashboard database, and allow it to be selected under “User Management” in the following step.

Once the sign-in was successful, log back out of the account.

3

Log into Dashboard with an administrative user (e.g. one that holds the CCPD_ADMIN Security Group membership).

  • Navigate to the cogwheel in the top right and select “User Management”

  • Choose this new dbapi account from the list of users.

  • If this account properly inherited the ROLE_API permission from the CCPD_API group in AD, you can then select the "Generate CIS-CAT Authentication Token" button near the bottom to generate the new token.

This token can then be placed in your (Assessor directory)/config/assessor-cli.properties file under the ciscat.post.parameter.ccpd.token property, or in the Centralized batch file as appropriate for your deployment.

Keywords; CCPD Dashboard LDAP apiuser token

Content by Label

Copyright © 2023

Center for Internet Security®