LDAP (Active Directory)

Genian NAC can use LDAP directories as a source of user and organization information. Through LDAP synchronization, user accounts can be created locally for management or policy use. LDAP synchronization is commonly used with Microsoft AD (Active Directory) systems.

The following describes how to synchronize user and organization information based on AD.

Connecting and Testing

To perform a connection test, the following default values must be entered:

Item Setting Value Description
LDAP DB Server Enter the LDAP server IP.
  DB PORT Enter the LDAP server connection port.
    SSL OFF : 389
    SSL ON : 636
  SSL Connection Set whether to use SSL connection.
  DB USER Enter the Bind DN.
  DB PASSWORD Enter the Bind Password.
  Data Source Identifier Set when using multiple synchronization servers.

Note

If the connection test does not succeed, please first confirm normal communication between the Policy Server and the Synchronization Server.

Configuring Synchronization

  1. Go to Preferences in the top menu.
  2. In the left settings menu, go to User Authentication > Data Synchronization.
  3. Click Select Tasks > Create.

General options

  1. ID : Enter a unique name.

  2. Update Interval : Select a specified time or periodic interval for synchronization.

  3. Policy Apply : select Enabled for applying change after Synchronization. If there are several synchronization settings, you can set it to Disabled and enable only the last one.

  4. Environment : Input is not required for basic synchronization tasks. However, it is used when defining variable values to be commonly referenced within a separate custom shell script executed for integration with external systems.

    Warning

    Configuration Caution: Incorrect environment variable declarations can lead to malfunctions in the integration script or system errors. Before configuration, please ensure that the variables are correctly processed within the script.

    Usage Scenario: Log Level Control Used when you want to control simple operation options such as Log Level or Retry Count during external script execution.

    export LOG_LEVEL='ERROR'

  5. Query : Enter the SQL query to be executed immediately after information synchronization is complete. This is used when secondary processing is required based on specific conditions using the synchronized information.

    Warning

    Risk of Data Loss: This feature directly affects the database. In particular, the use of UPDATE or DELETE statements may result in irreversible data loss.

    Usage Scenario: Account Lock Processing based on Employment Status Used when you want to automatically disable the NAC account of resigned (or on-leave) employees according to the 'Employment Status' code after information synchronization.

    Prerequisites 1. Create a field to manage employment status (e.g., USER_CUSTOM08) in [Settings] > [Property Management] > [Custom Fields] > [User Custom Fields]. 2. Assign the user custom field created in step 1 to [Additional Info] under [User Information] in [Information Synchronization].

    Writing Example If the value of USER_CUSTOM08 is '001' (Resigned/On-leave, etc.), update USER_STATUS to '0' (Disabled).

    UPDATE USER
SET USER_STATUS = 0
WHERE USER_CUSTOM08 = '001';

Database options

  1. DB Type : LDAP
  2. DB SERVER : Enter the IP address or FQDN of the Active Directory server.
  3. DB PORT: Enter the LDAP service port number for AD. The default LDAP port is 389. If using LDAPS (LDAP over SSL), the default port is 636.
  4. SSL Connection : Select On if using LDAPS.
  5. DB USER : Enter the Bind DN for Active Directory. Generally, you can use an email format such as administrator@company.com.
  6. DB PASSWORD : Enter the Bind DN user password.

User Information options

  1. User Table Name : Enter the user's default distinguished name (DN). Usually, it is CN=Users,DC=company,DC=com.
  2. User Condition Statement : To filter user objects, enter (&(objectClass=user)(objectCategory=person)).
  3. User ID Column Name : Enter sAMAccountName.
  4. User Name Column Name : Enter displayName.
  5. Department ID Column Name : Enter $distinguishedName, IF(LOCATE('OU=',$)>0,SUBSTRING($,LOCATE(',',$)+1),'').
  6. Other additional information can use LDAP attribute names for each column name.

Department Information options

  1. Table Name : Enter the default distinguished name (DN) of the OU (Organizational Unit). Generally, it is DC=company,DC=com.
  2. Department Condition Statement : To filter OU objects, enter objectClass=organizationalUnit.
  3. Output Sort Order : To sort by department name, enter @NAMEPATH.
  4. Department ID Column Name : Enter distinguishedName.
  5. Department Name Column Name : Enter name.
  6. Parent Department Column Name : Enter $distinguishedName, SUBSTRING($,LOCATE(',',$)+1).
  7. Click the Create button.

Attention

Active Directory does not provide the userPassword attribute, so user passwords cannot be synchronized. Therefore, a separate integration must be configured. Refer to LDAP (Active Directory) Server Integration.