LDAP (Active Directory)

Genian NAC can use LDAP directories as a source of user and organization information. Through LDAP synchronization, user accounts can be created locally for management or policy use. LDAP synchronization is commonly used with Microsoft AD (Active Directory) systems.

The following describes how to synchronize user and organization information based on AD.

Connecting and Testing

To perform a connection test, the following default values must be entered:

Item Setting Value Description
LDAP DB Server Enter the LDAP server IP.
  DB PORT Enter the LDAP server connection port.
    SSL OFF : 389
    SSL ON : 636
  SSL Connection Set whether to use SSL connection.
  DB USER Enter the Bind DN.
  DB PASSWORD Enter the Bind Password.
  Data Source Identifier Set when using multiple synchronization servers.

Note

If the connection test does not succeed, please first confirm normal communication between the Policy Server and the Synchronization Server.

Configuring Synchronization

  1. Go to Settings in the top menu.
  2. In the left settings menu, go to User Authentication > Information Synchronization.
  3. Click Select Action > Create.

Basic Settings options

  1. ID : Enter a unique name.
  2. Synchronization Execution Cycle : Select a specified time or periodic interval for synchronization.
  3. Policy Application Status : Select Apply to reflect changes after synchronization. If there are multiple synchronization settings, you can set to Do not apply and use only the last synchronization.

Database options

  1. DB Type : LDAP
  2. DB SERVER : Enter the IP address or FQDN of the Active Directory server.
  3. DB PORT: Enter the LDAP service port number for AD. The default LDAP port is 389. If using LDAPS (LDAP over SSL), the default port is 636.
  4. SSL Connection : Select On if using LDAPS.
  5. DB USER : Enter the Bind DN for Active Directory. Generally, you can use an email format such as administrator@company.com.
  6. DB PASSWORD : Enter the Bind DN user password.

User Information options

  1. User Table Name : Enter the user's default distinguished name (DN). Usually, it is CN=Users,DC=company,DC=com.
  2. User Condition Statement : To filter user objects, enter (&(objectClass=user)(objectCategory=person)).
  3. User ID Column Name : Enter sAMAccountName.
  4. User Name Column Name : Enter displayName.
  5. Department ID Column Name : Enter $distinguishedName, IF(LOCATE('OU=',$)>0,SUBSTRING($,LOCATE(',',$)+1),'').
  6. Other additional information can use LDAP attribute names for each column name.

Department Information options

  1. Table Name : Enter the default distinguished name (DN) of the OU (Organizational Unit). Generally, it is DC=company,DC=com.
  2. Department Condition Statement : To filter OU objects, enter objectClass=organizationalUnit.
  3. Output Sort Order : To sort by department name, enter @NAMEPATH.
  4. Department ID Column Name : Enter distinguishedName.
  5. Department Name Column Name : Enter name.
  6. Parent Department Column Name : Enter $distinguishedName, SUBSTRING($,LOCATE(',',$)+1).
  7. Click the Create button.

Attention

Active Directory does not provide the userPassword attribute, so user passwords cannot be synchronized. Therefore, a separate integration must be configured. Refer to LDAP (Active Directory) Server Integration.