LDAP (Active Directory)
Genian NAC can use LDAP directories as a source of user and organization information. Through LDAP synchronization, user accounts can be created locally for management or policy use. LDAP synchronization is commonly used with Microsoft AD (Active Directory) systems.
The following describes how to synchronize user and organization information based on AD.
Connecting and Testing
To perform a connection test, the following default values must be entered:
Item | Setting Value | Description |
---|---|---|
LDAP | DB Server | Enter the LDAP server IP. |
DB PORT | Enter the LDAP server connection port. | |
SSL OFF : 389 | ||
SSL ON : 636 | ||
SSL Connection | Set whether to use SSL connection. | |
DB USER | Enter the Bind DN. | |
DB PASSWORD | Enter the Bind Password. | |
Data Source Identifier | Set when using multiple synchronization servers. |
Note
If the connection test does not succeed, please first confirm normal communication between the Policy Server and the Synchronization Server.
Configuring Synchronization
- Go to Settings in the top menu.
- In the left settings menu, go to User Authentication > Information Synchronization.
- Click Select Action > Create.
Basic Settings options
- ID : Enter a unique name.
- Synchronization Execution Cycle : Select a specified time or periodic interval for synchronization.
- Policy Application Status : Select
Apply
to reflect changes after synchronization. If there are multiple synchronization settings, you can set toDo not apply
and use only the last synchronization.
Database options
- DB Type :
LDAP
- DB SERVER : Enter the IP address or FQDN of the Active Directory server.
- DB PORT: Enter the LDAP service port number for AD. The default LDAP port is
389
. If using LDAPS (LDAP over SSL), the default port is636
. - SSL Connection : Select
On
if using LDAPS. - DB USER : Enter the Bind DN for Active Directory. Generally, you can use an email format such as
administrator@company.com
. - DB PASSWORD : Enter the Bind DN user password.
User Information options
- User Table Name : Enter the user's default distinguished name (DN). Usually, it is
CN=Users,DC=company,DC=com
. - User Condition Statement : To filter user objects, enter
(&(objectClass=user)(objectCategory=person))
. - User ID Column Name : Enter
sAMAccountName
. - User Name Column Name : Enter
displayName
. - Department ID Column Name : Enter
$distinguishedName, IF(LOCATE('OU=',$)>0,SUBSTRING($,LOCATE(',',$)+1),'')
. - Other additional information can use LDAP attribute names for each column name.
Department Information options
- Table Name : Enter the default distinguished name (DN) of the OU (Organizational Unit). Generally, it is
DC=company,DC=com
. - Department Condition Statement : To filter OU objects, enter
objectClass=organizationalUnit
. - Output Sort Order : To sort by department name, enter
@NAMEPATH
. - Department ID Column Name : Enter
distinguishedName
. - Department Name Column Name : Enter
name
. - Parent Department Column Name : Enter
$distinguishedName, SUBSTRING($,LOCATE(',',$)+1)
. - Click the Create button.
Attention
Active Directory does not provide the userPassword attribute, so user passwords cannot be synchronized. Therefore, a separate integration must be configured. Refer to LDAP (Active Directory) Server Integration.