Enable LDAP

Mikhail Serov

Definitions

On this page we use the following terminology:

  • Active Directory (AD) is an implementation of directory services that provides all kinds of functionality such as authentication, group and user management, policy administration, and more.

  • Lightweight Directory Access Protocol (LDAP) is an open crossplatform protocol designed for directory services authentication.

  • OpenLDAP is an open implementation of LDAP that is distributed via its own OpenLDAP Public License.

  • Free Identity, Policy and Audit (FreeIPA) is an open centralized system that is designed to manage user authorizations and to create audit and access policies for the UNIX-based networks.

IMPORTANT

  • LDAP integration is supported only for a single domain.

  • User name is unique. If there is a local user, the external user with a similar name cannot be added during synchronization.

  • For LDAP users, only group membership attributes (the Add groups field) can be modified during synchronization. If there were changes related to LDAP group membership on the AD side for an LDAP user, these changes will be added each time the Run LDAP sync action is performed (including when this action is executed according to a schedule). If an LDAP user is added to any local ADCM group, this change will be preserved during synchronization.

LDAP description

ADCM provides tools to synchronize its users and groups with external systems that support LDAP (such as Active Directory, OpenLDAP, or FreeIPA). This allows to automate the process of creating ADCM user accounts according to the already existing company policies, as well as to apply the existing ADCM access control methods (granting, disabling rights, changing group membership, and so on) to external users.

After configuring LDAP in ADCM, you are able to do the following:

  • Automatically update user information (such as credentials) in case of it being changed in AD, OpenLDAP, or FreeIPA.

  • Automatically deactivate user accounts in case of them being disabled in AD, OpenLDAP, or FreeIPA with ADCM.

  • Automatically add new users if they are aligned with LDAP configuration settings.

Workflow

To enable LDAP integration, you should perform the following steps:

  1. Navigate to the Settings page.

  2. Activate the LDAP integration switch.

  3. Configure LDAP settings that are listed in the Configuration settings table below.

    ldap
    LDAP integration parameters

  4. Click Save. Now two actions become possible: Run LDAP sync and Test LDAP connection.

  5. Run the Test LDAP connection action to test connection to LDAP. You can view the action result in the Jobs section.

  6. Run the Run LDAP sync action to synchronize the users, groups, and their memberships from Active Directory, OpenLDAP, or FreeIPA into ADCM. You can view the action result in the Jobs section.

NOTE
If LDAP access is configured correctly, then any user that matches the configured LDAP settings is able to authenticate in ADCM (even if Run LDAP sync action was not performed).
Configuration settings
Name Description Required

LDAP URI

The URI of the LDAP server

Yes

Bind DN

The distinguished name (DN) of the user that is used to connect to the LDAP server. For example: cn=admin,dc=ad,dc=ranger-test

Yes

Bind Password

Password for access to the LDAP server of the user specified in the Bind DN field

Yes

User search base

The distinguished name (DN) of the directory object from which to search for entries. For example: ou=Peoples,dc=ad,dc=ranger-test

Yes

User search filter

Additional filter constraining the users selected for syncing

No

User object class

Object class to identify user entries. The default value is user

Yes

User name attribute

Attribute from user entry that would be treated as user login. The default value is sAMAccountName

Yes

Group search base

The distinguished name (DN) of the directory object from which to search for entries. For example: ou=Groups,dc=ad,dc=ranger-test

No

Group search filter

Additional filter constraining the groups selected for syncing

No

Group object class

Object class to identify group entries. The default value is group

Yes

Group name attribute

Attribute from group entry that would be treated as group name. The default value is cn

Yes

Group member attribute name

Attribute from group entry that is list of members. The default value is member

Yes

Group DN for granting ADCM Administrator rights

List of unique distinguished names (DN) of groups whose members need to be granted ADCM Administrator rights. For example: cn=adcm_admin,ou=Groups,dc=ad,dc=ranger-test

No

Sync interval

Amount of time in minutes that groups, group memberships, and user distinguished names are synchronized between Active Directory, OpenLDAP, or FreeIPA and ADCM. The default value is 60

Yes

TLS CA certificate file path

CA certificate path in ADCM container volume

No
Found a mistake? Seleсt text and press Ctrl+Enter to report it