Import groups from LDAP¶
Importing user groups from LDAP is a two-step process. In the first step here, you need to supply certain details to enable Securden to connect and scan the directory.
Step 1: LDAP Settings¶
You can integrate Securden with any LDAP-compliant directory service and import user groups. In the GUI that opens, enter the following credentials to proceed with the integration.
Domain Identifier: Enter the name with which the LDAP domain can be identified.
Domain Base DN: When you import user groups from an LDAP directory, Securden fetches attribute values from the directory. You need to enter base or root from where the directory lookup should start. You will be entering the top level of the LDAP directory tree name in the same format as it is appearing in your LDAP directory. Typically, this is entered as a sequence of names separated by commas to specify the Base Distinguished Name (DN).
Example
DC=MyDomain,DC=com
Account DN: For connection authentication, Securden needs access to an LDAP account that has read access and is password-protected. You need to enter the Account DN here. You may enter the account name and password in the last step.
Example
CN=Bob.Smith,CN=Users,DC=MyDomain,DC=com
Domain IP Address: Specify the FQDN or IP address of the LDAP domain to be scanned. You have the option to enter any number of secondary IP addresses in comma separated form. This will help Securden establish a connection if the primary IP address is not working.
Connection Mode: Specify the mode (SSL/non-SSL) through which Securden has to establish a connection with the LDAP domain.
If SSL mode is selected, the domain controller should be serving over SSL in port 636 and the certificate of the domain controller should have been signed by a CA. If the certificate of the domain controller is not signed by a certified CA, you need to import all the certificates that are present in the respective root certificate chain - that is the certificate of the domain controller and all the intermediate certificates if any.
Supply Administrator Credentials: You need to supply administrator credentials so as to enable Securden to scan the members in the domain. You may enter the username and password manually once and this will be stored in Securden for use during subsequent import attempts. If the users belong to a different network than the Securden server, you can route the connection through a remote gateway. You can select the appropriate remote gateway from the drop-down and the discovery will happen through the selected gateway.
Step 2: Discover and Import from LDAP¶
In this step, Securden establishes a connection with the LDAP domain specified and imports user groups.
This GUI offers the flexibility to fetch only the required user groups from the LDAP domain.
-
Typically, the search happens by combining the Base DN, which is the base of the search tree for all users, the specific level under the Base DN (the LDAP Scope), and the Search Filter that gets granular to fetch only the required users/user groups.
-
In the search filter, you can specify an Object Class, which defines the types of results that Securden will fetch. If the Base DN contains a mix of object types like people, groups, assets, and so on, you may specify only the required set of objects here. You may use (objectClass=*) to include all objects.
-
If you want to add only specific user groups from your LDAP directory, just perform a search using the appropriate search filter. For example,
if you want to import only the groups from the OU Sysadmin and O Securden, the Base DN has to be ou=Sysadmin,o=securden,c=com and the search filter has to be written within brackets as: (objectClass=user).
-
If you want to restrict your search to a specific level under the BaseDN, you may select the required scope from the drop-down.
-
Click Search. Verify your discovery details under Verify the Objects Selected for Discovery. If there are multiple entities available for the search term, you need to select the required entities from the list and click Add.
If you to assign a common role to all the users being imported, select the role in Securden and finally click Import.
Advanced Settings:
This option allows you to either include domain users of all subgroups to the group being imported or ignore the subgroups and import only the users of the first level group.