3.1.6.6. LDAP/AD Filters

In this section, we can define LDAP/AD Filters to manage users that are stored in different Active Directories.

../../../_images/ldap_overview.png


  • Add new: To add a new filter. It is required to assign an LDAP Filter name and the LDAP/AD query. We can use different attributes and conditions: memberOf checks if a user belongs to a specific group; the group checked is Corporate_User that belongs to an organizational unit and this is part of the domain named mycompany.local.

  • Edit: To edit an existing filter.

  • Clone: It is possible to clone a filter configuration.

  • Delete: To delete a selected filter.

  • Check & enable LDAP Query: To enable a filter. This function verifies the connection with the Active Directory, and if there is no problem, it enables the LDAP filter from the list. If the connection cannot be established, an error message will appear, and the filter will remain disabled.

  • Disable LDAP Query: To disable a filter.

  • Refresh: To refresh the page.

  • Export data: This button will export the entire database if no asset is selected, or the asset information if we previously select it.

  • Import data: Import data from a JSON or XML file.

3.1.6.6.1. Applying LDAP Filters and UDS

Once we have created the UDS and the LDAP filter, we can use both configurations when defining security policies as preconditions in the user’s section. For more information read Policy Preconditions.

In case we want just to authenticate from the Active Directory, it is only necessary to add the User Data Source.

Otherwise, if we want to use an attribute, we have to assign an LDAP filter to be used.

../../../_images/ldap_policyfilter.png


3.1.6.6.2. How to get the AD Query

To define an LDAP Filter, you need to know the canonical name of the group you want to use for authorization.

You can to get this attribute from the Active Directory:

We have created an Organizational Unit called Corporate_Users.

../../../_images/corporate.png


Inside this Organizational Unit there is a Security Group called Corporate_User. To Edit it, right-click on it and select properties.

../../../_images/corporate_user.png


The attribute editor window will be displayed. Edit the attribute distinguedName and copy and save the this attribute to be used to define an LDAP filter.

../../../_images/corporate_filter.png