3.2.2.1.3. LDAP/AD Filters

In this section, we can define LDAP/AD Filters to manage users that are stored in different Active Directories.

../../../../_images/ldapap.png


3.2.2.1.3.1. Toolbar

The toolbar helps you quickly create new filters, search filters, import and export data. Let’s explore it from left to right ->.

../../../../_images/toolbar1.png


  • Create new: Clicking on this button will display a configuration window to create a new filter.

  • Search: Search filter field.

  • Export data: Export the entire database if no asset is selected, or the asset information if we previously select it.

  • Import data: Import data from a JSON or XML file.

3.2.2.1.3.2. Creating a new LDAP/AD filter

To create a new LDAP/AD filter, click on Create new. It will display the following window:

../../../../_images/new_filter.png


It is required to assign an LDAP Filter name and the LDAP/AD query. We can use different attributes and conditions: memberOf checks if a user belongs to a specific group; the group checked is Corporate_User that belongs to an organizational unit and this is part of the domain named mycompany.local.

Click on Confirm and you will see the new filter displayed in the table.

../../../../_images/edit_filter.png


From the three-dot icon located at the end of each filter row, you can edit, enable, clone or delete a filter.

../../../../_images/action_delete.png


By selecting the filter checkbox, the action row will be displayed at the bottom of the window. It allows you to delete the selected filter.

3.2.2.1.3.2.1. How to get an AD Query

To define an LDAP Filter, you need to know the canonical name of the group you want to use for authorization.

You can to get this attribute from the Active Directory:

We have created an Organizational Unit called Corporate_Users.

../../../../_images/corporate.png


Inside this Organizational Unit there is a Security Group called Corporate_User. To Edit it, right-click on it and select properties.

../../../../_images/corporate_user.png


The attribute editor window will be displayed. Edit the attribute distinguedName and copy and save the this attribute to be used to define an LDAP filter.

../../../../_images/corporate_filter.png


3.2.2.1.3.3. Applying LDAP Filters and UDS

review if I can drop this topic and add it to the UDS section instead

Once we have created the UDS and the LDAP filter, we can use both configurations when defining security policies as preconditions in the user’s section. For more information read Policy Preconditions.

In case we want just to authenticate from the Active Directory, it is only necessary to add the User Data Source.

Otherwise, if we want to use an attribute, we have to assign an LDAP filter to be used.