HomeDocumentationAPI Reference
Log In
These docs are for v17. Click to read the latest docs for v33.

Importing Users from AD/LDAP

Suggest Edits

This article describes configuration topics for AD and LDAP directories. For instructions about setting up other user-directory types, see the integration articles under User Directories.

Adding AD/LDAP Directories

Users from AD/LDAP directories can log into PrivX, and furthermore to target hosts (as permitted by their roles). To add an AD/LDAP directory:

  1. On the ​Administration→Directories​ page, click ​Add Directory​​.

  2. Set the directory ​Type​ to ​Active Directory​ or ​LDAP​​. Provide any required directory settings, such as connection and bind parameters.

    📘

    Note

    By default, PrivX allows directory users to log in with ​userPrincipalName​ (typically given in ​username@domain​​ format) as username.

    You may set ​User DN pattern​ to use another field as the user name. For example, to allow directory users to log in using their ​uid​​ as username, change the setting to:

    ​​(uid=%s)​​

    After you have provided the necessary settings, click ​Save​​ to apply your changes.

  3. (Optional​​) Back on the ​Administration→Directories​ page, you may verify that PrivX is able to import users from the directory: the directory ​Status​ should be ​OK​​, and it should display the correct number of users.

    Any imported PrivX users can login to the PrivX GUI using their AD/LDAP credentials. To further allow such users to log into target hosts, add them to roles as described in Granting User Permissions.

Secure-Connection Setup

To allow TLS-based secure connections (STARTTLS or LDAPS) to directory servers, the following requirements must be met:

  • The directory-server certificate must specify its DNS and IP addresses in the ​Subject Alternative Name​​.

  • Obtain the CA chain of your directory server.

To enable secure connections to user directories:

  1. Ensure the directory-server certificate specifies the server DNS and/or IP addresses in the ​SubjectAltName​ field. You may do this with a test connection like the following (replace ​directory.example.com​ and ​636​​ with the address and the port of the directory service):

    $ echo "Q" | \
openssl s_client -connect ​directory.example.com​​:​636​​ | \
openssl x509 -noout -text

    Verify that the output contains the DNS and/or IP address(es) of the server, similar to the following:

    X509v3 Subject Alternative Name:
    DNS:​​directory.example.com​​, IP Address:​192.0.2.10​​

  2. On the ​Administration→Directories​ page, ​Edit​​ the directory for which you want to set up secure connections.

    Expand ​Advanced directory settings​​, then under ​Server authentication settings​​ configure the following:

    • Add the CA chain of your directory server to ​Trust Anchors​​.

    • Deselect ​Skip server certificate validation​​.

    Click ​Save​​ to apply your changes. Subsequent connections to the directory server are TLS-secured.

    After the changes you may verify the directory status back on the ​Settings→Directories​​ page.

Adjusting User Matching

PrivX applies a default pre-filter for matching user records. You may adjust the pre-filter to affect what records are imported.

To override the pre-filter for a user directory, specify your custom ​User filter​​ in the directory settings:

  1. On the ​Administration→Directories​ page, ​Edit​​ your user directory.

  2. Under the ​Active directory settings​ section, specify a ​User filter​​ for matching users on the user directory.

  3. Click ​Save​ to apply your changes. Your new ​User filter​​ overrides the default pre-filter.

You can also change the default pre-filter globally from ​Administration→Settings​:

  1. Select Role Store, then under the LDAP section look for the settings ​Default User Filter​ and ​LDAP Attributes Filter​. These settings respectively specify what objects are recognized as users, and what fields are fetched from matching records.
default_user_filter = \
"(|(objectClass=user)(objectClass=person)(objectClass=inetOrgPerson))"
attributes = "objectClass cn dn distinguishedName ... "

For default OpenLDAP setup you could specify, for example, the following line with ​inetOrgPerson​ and ​posixAccount​​:

​​default_user_filter = "(&(objectClass=inetOrgPerson)(objectClass=posixAccount))"​​

If you are using two directories with different schemas, you can combine them for example as follows:

​default_user_filter = "(|(&(objectClass=user)(objectClass=person))(&(objectClass=inetOrgPerson)(objectClass=posixAccount)))"​​

To allow rules in PrivX roles to match nested groups, you must enable ​Enable Nested Groups​ in ​​Rolestore's LDAP settings.

  1. Restart PrivX services to apply any changes.
# systemctl restart privx

Refreshing Directory Data

User-directory changes are updated to PrivX in the following ways:

  • By default, PrivX refreshes directory data every 15 minutes. To adjust the refresh interval of a directory, go to ​Administration→Directories​ and ​Edit​​ the target directory. Shortening the interval allows PrivX to detect user changes faster, while lenghtening the interval reduces system load.

  • To immediately refresh directory data, go to ​Administration→Directories​ and perform a ​Refresh​​ action on the target directory.

Updated about 3 years ago