Discussion:
[Freeipa-users] qradar UBA to IPA
Sean Hogan
2017-05-08 19:31:20 UTC
Permalink
Hello IPA,

I am trying to set up User Behavioral analytics from Qradar to IPA.
Having some issues with it after we got 389 and 636 open between the nets.

Qradar Console is not in IPA and on differ net although we do have comms on
389 and 636 now
ipa-server-3.0.0-50.el6.1.x86_64


I set up an account in IPA with no HBACS or anything and just gave it a IPA
role to read data which we use in the below config.
Getting
file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE
$1CFC0CDDB6F2F123.jpg

URL I have them using ldaps://IPofIPAserver.example.com
BaseDN dc=example,dc=local
filter users,cn=accounts,$Suffix
attributes are left default
username is the user i made in ipa
pw is the pw I made in ipa


file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE
$1B778A1810D34E76.jpg

Has anyone attempted this or have any sample configs to play with or see
anything I am doing incorrect?




Sean Hogan
Michael Plemmons
2017-05-08 20:20:00 UTC
Permalink
From the server running Qradar can you ping the IPA server? Are you able
to telnet to port 389 or 636 of the IPA server. The error says it can't
contact the LDAP server which usually means you have not gotten to the
point of authentication yet.





*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614.427.2411
***@crosschx.com
www.crosschx.com
Hello IPA,
I am trying to set up User Behavioral analytics from Qradar to IPA. Having
some issues with it after we got 389 and 636 open between the nets.
Qradar Console is not in IPA and on differ net although we do have comms
on 389 and 636 now
ipa-server-3.0.0-50.el6.1.x86_64
I set up an account in IPA with no HBACS or anything and just gave it a
IPA role to read data which we use in the below config.
Getting
file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE$1CFC0CDDB6F2F123.jpg]
URL I have them using ldaps://IPofIPAserver.example.com
BaseDN dc=example,dc=local
filter users,cn=accounts,$Suffix
attributes are left default
username is the user i made in ipa
pw is the pw I made in ipa
file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE$1B778A1810D34E76.jpg]
Has anyone attempted this or have any sample configs to play with or see
anything I am doing incorrect?
Sean Hogan
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Sean Hogan
2017-05-08 20:47:02 UTC
Permalink
Thanks Michael,

Yes sir, the qradar box is able to hit the ipa server on 389 and 636 with
success via telnet.



Sean Hogan










From: Michael Plemmons <***@crosschx.com>
To: freeipa-users <freeipa-***@redhat.com>
Date: 05/08/2017 01:21 PM
Subject: Re: [Freeipa-users] qradar UBA to IPA
From the server running Qradar can you ping the IPA server?  Are you able
to telnet to port 389 or 636 of the IPA server.  The error says it can't
contact the LDAP server which usually means you have not gotten to the
point of authentication yet.




Mike Plemmons | Senior DevOps Engineer | CROSSCHX
614.427.2411
***@crosschx.com
www.crosschx.com

On Mon, May 8, 2017 at 3:31 PM, Sean Hogan <***@us.ibm.com> wrote:
Hello IPA,

I am trying to set up User Behavioral analytics from Qradar to IPA.
Having some issues with it after we got 389 and 636 open between the
nets.

Qradar Console is not in IPA and on differ net although we do have comms
on 389 and 636 now
ipa-server-3.0.0-50.el6.1.x86_64


I set up an account in IPA with no HBACS or anything and just gave it a
IPA role to read data which we use in the below config.
Getting
file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE
$1CFC0CDDB6F2F123.jpg


URL I have them using ldaps://IPofIPAserver.example.com
BaseDN dc=example,dc=local
filter users,cn=accounts,$Suffix
attributes are left default
username is the user i made in ipa
pw is the pw I made in ipa


file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE
$1B778A1810D34E76.jpg


Has anyone attempted this or have any sample configs to play with or see
anything I am doing incorrect?




Sean Hogan







--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Michael Plemmons
2017-05-08 20:52:22 UTC
Permalink
Your listing of the filter seems incorrect unless that is a copy paste
problem. You probably want cn=users,cn=accounts, $Suffix. The filter
listed above shows user,cn=accounts,$Suffix. I am not familiar with Qradar
but does it need just the uid of the user or does it need the full DN of
the user?




*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614.427.2411
***@crosschx.com
www.crosschx.com
Post by Sean Hogan
Thanks Michael,
Yes sir, the qradar box is able to hit the ipa server on 389 and 636 with
success via telnet.
Sean Hogan
[image: Inactive hide details for Michael Plemmons ---05/08/2017 01:21:17
PM--->From the server running Qradar can you ping the IPA ser]Michael
Plemmons ---05/08/2017 01:21:17 PM--->From the server running Qradar can
you ping the IPA server? Are you able to telnet to port 389 or
Date: 05/08/2017 01:21 PM
Subject: Re: [Freeipa-users] qradar UBA to IPA
------------------------------
From the server running Qradar can you ping the IPA server? Are you able
to telnet to port 389 or 636 of the IPA server. The error says it can't
contact the LDAP server which usually means you have not gotten to the
point of authentication yet.
*Mike Plemmons | Senior DevOps Engineer | CROSSCHX*
614.427.2411
*www.crosschx.com* <http://www.crosschx.com/>
Hello IPA,
I am trying to set up User Behavioral analytics from Qradar to IPA.
Having some issues with it after we got 389 and 636 open between the nets.
Qradar Console is not in IPA and on differ net although we do have
comms on 389 and 636 now
ipa-server-3.0.0-50.el6.1.x86_64
I set up an account in IPA with no HBACS or anything and just gave it
a IPA role to read data which we use in the below config.
Getting
file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE$1CFC0CDDB6F2F123.jpg]
URL I have them using ldaps://*IPofIPAserver.example.com*
<http://ipofipaserver.example.com/>
BaseDN dc=example,dc=local
filter users,cn=accounts,$Suffix
attributes are left default
username is the user i made in ipa
pw is the pw I made in ipa
file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE$1B778A1810D34E76.jpg]
Has anyone attempted this or have any sample configs to play with or
see anything I am doing incorrect?
Sean Hogan
--
*https://www.redhat.com/mailman/listinfo/freeipa-users*
<https://www.redhat.com/mailman/listinfo/freeipa-users>
Go to *http://freeipa.org* <http://freeipa.org/> for more info on the
project
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...