Deactivation behavior:
LDAP Synchronization
LDAP Sync allows organizations to leverage their LDAP repository to manage the list of active users as well as their group membership in SD Elements.
-
OpenLDAP
-
Microsoft Active Directory
Prerequisites
Before configuring LDAP Sync, collect the following information:
-
SD Elements super user credentials needed for configuring SD Elements.
-
The default super user for OnSite Deployments is sdesupport@securitycompass.com.
-
-
The hostname and port of the LDAP server.
-
The protocol to use when connecting with the LDAP server, which is one of:
-
LDAP
-
LDAP with StartTLS
-
LDAPS
-
-
The DN and password of a user to bind to the LDAP server.
-
The base group DN. This DN will be used for querying LDAP groups.
-
A list of LDAP group names to map to existing SDE groups. These LDAP groups should be under the base group DN.
LDAP connection fields
An LDAP connection has the following properties:
-
Name: A unique name for this connection.
-
Protocol: LDAP method to use when connecting. The available options are: LDAP, LDAPS, and LDAP with StartTLS. If unspecified, the LDAP method will default to LDAP with StartTLS.
-
LDAP Server: The host of the LDAP server.
-
Example:
ldap.server.com:389
-
LDAP Validate Cert: Toggle on to enable SSL certificate validation.
-
-
Bind DN: The DN of the user to bind to the LDAP server.
-
Bind Password: The password of the user to bind to the LDAP server.
-
Group Base DN: The base DN of the LDAP groups to be synchronized.
-
Sync Frequency: The rate at which the sync should occur.
-
Manually, Hourly, Daily, Weekly, Monthly
-
-
Optional fields:
-
Base DN: The base DN used in constructing user queries. This will be automatically computed from the bind DN if left blank.
-
LDAP User Schema: LDAP schema attribute mappings used by SD Elements for computing a user’s name and email. Leave blank to use the default mappings.
-
LDAP Filter - Group: A whitelist of LDAP groups to limit the sync to. Leave blank to sync all groups defined in the Group Mapping.
-
LDAP Filter - Email Filter: A whitelist of LDAP users to limit the sync to. Leave blank to sync all users defined in the Group Mapping.
-
LDAP Query Page Size: The maximum number of LDAP results to retrieve at a time. Only available on LDAP servers that implement RFC 2696.
-
Group Member Query: LDAP query for retrieving members of a group. ‘%s’ will be replaced by the LDAP group name during query constructing.
-
Deactivation: Toggle on for the desired deactivation behavior.
-
Automatically deactivate SDE users that are not assigned to a group |
When an LDAP sync happens, users found within LDAP will be synced to SDE users. The users will be placed in at least one SDE group. With this option toggled on, after LDAP sync, any SDE users that don’t belong to an SDE group will be deactivated. Users may want to toggle on this option to deactivate any previously existing SDE users that are not in any SDE group. |
|
Automatically deactivate SDE users not found in LDAP |
When an LDAP sync happens, users found in LDAP will be synced to SDE users and the users will be placed in at least one SDE group. Users may want to toggle on this option to deactivate any previously existing SDE users that are not found in LDAP. |
Combinations of Deactivation configurations: |
||
'Automatically deactivate SDE users that are not assigned to a group' ON 'Automatically deactivate SDE users not found in LDAP' ON |
This configuration will result in the deactivation of SDE users who don’t belong to an SDE group and any SDE users who are not found within LDAP. Users who are found in LDAP and who get assigned to a mapped SDE group will remain activated. |
|
'Automatically deactivate SDE users that are not assigned to a group' ON 'Automatically deactivate SDE users not found in LDAP' OFF |
This configuration will result in the deactivation of SDE users who don’t belong to an SDE group. SDE users who are not found within LDAP will stay activated. If an LDAP Group is mapped to an SDE Group, any SDE users who are in the SDE Group but not in the LDAP group will be removed from the SDE Group and deactivated. Only users found in the LDAP group can belong to the mapped SDE Group. |
|
'Automatically deactivate SDE users that are not assigned to a group' OFF 'Automatically deactivate SDE users not found in LDAP' ON |
This configuration will result in the deactivation of SDE users who are not found in LDAP. |
|
'Automatically deactivate SDE users that are not assigned to a group' OFF 'Automatically deactivate SDE users not found in LDAP' OFF |
This configuration will result in no deactivation of any SDE user after an LDAP sync. Previously existing active SDE users and users synced from LDAP will remain active. |
-
Inaccessible: Mark this connection as inaccessible. This should only be done if the LDAP server cannot be reached from SD Elements. As a result, syncing from the server will be disabled for this connection. Instead, use the Remote Integration Agent to perform the integration.
Add an LDAP connection
Follow the steps below to configure a new LDAP Sync connection.
-
The user has the system Super User permission.
-
Login with a user having super user permission.
-
Click on the gear icon in the top right corner of the SD Elements interface, and select Authentication.
-
Select the LDAP Synchronization tab.
-
Click the plus button on the top right corner of the screen to create a new connection.
-
Fill in the required fields described above.
-
Click Save.
A new LDAP connection is added to the system. It will start automatically at the next timeslot if Sync Frequency is not marked to run Manually.
Initiate a manual sync
Start an ad hoc LDAP synchronization by following the steps below:
-
The user has the system Super User permission.
-
Login with a user having super user permission.
-
Click on the gear icon in the top right corner of the SD Elements interface, and select LDAP Integration.
-
Find the desired connection from the list and hover the mouse to the right-hand side of the row.
-
Click the icon.
A new synchronization job is initiated. The job may take a few minutes or more to complete based on the number of users and groups in scope.
FAQ
-
How does this relate to Single Sign-On (SSO)?
-
SSO handles user authentication - this feature provisions user accounts and manages their group membership.
-
Users provisioned by LDAP Sync on a server with SSO enabled will not be sent a password reset email.
-
-
Can I sync using multiple connections?
-
You can sync against multiple LDAP servers.
-
-
How can I add group mappings between LDAP groups and SDE groups?
-
Add LDAP Group Mappings:
-
Select the gear icon menu.
-
Select Authentication.
-
Select LDAP Synchronization tab.
-
From the Group Mappings column, click on + Add Group Mappings.
-
Click on the plus button on the right to add a new group mapping.
-
-
Since this is a user integration system, syncing multiple connections at the same time may cause unexpected results or problems. |
Troubleshooting
-
Sync failures
-
Clicking on the red exclamation button will display the error of the last synchronization attempt. To view older failures, click on the connection name to be taken to the sync history page.
-
-
TLS/SSL issues
-
If you are connecting to a TLS/SSL connection, you will need to ensure that the LDAP server or CA signing certificate is installed on the SD Elements instance.
-
Disable the Validate the SSL certificate of the LDAP server option.
-
This option is not recommended for production contexts.
-
-
-
Timeout
-
The sync will error and stop if it does not complete within 2 hours. If you experience this issue, please reach out to support for advice on how to resolve it.
-