Importing Users from AD/LDAP

This article describes configuration topics for AD and LDAP directories. For instructions about setting up other user-directory types, see the integration articles under User Directories.

Adding AD/LDAP Directories

Users from AD/LDAP directories can log into PrivX, and furthermore to target hosts (as permitted by their roles). To add an AD/LDAP directory:

  1. On the Administration→Directories page, click Add Directory.

  2. Set the directory Type to Active Directory or LDAP. Provide any required directory settings, such as connection and bind parameters.

By default, PrivX allows directory users to log in with userPrincipalName (typically given in username@domain format) as username.

You may set User DN pattern to use another field as the user name. For example, to allow directory users to log in using their uid as username, change the setting to:

(uid=%s)

After you have provided the necessary settings, click Save to apply your changes.

Users belonging to AD Protected Users group cannot login to PrivX

  1. (Optional) Back on the Administration→Directories page, you may verify that PrivX is able to import users from the directory: the directory Status should be OK, and it should display the correct number of users.

    Any imported PrivX users can login to the PrivX GUI using their AD/LDAP credentials. To further allow such users to log into target hosts, add them to roles as described in Granting User Permissions.

Secure-Connection Setup

To allow TLS-based secure connections (STARTTLS or LDAPS) to directory servers, the following requirements must be met:

  • The directory-server certificate must specify its DNS and IP addresses in the Subject Alternative Name.

  • Obtain the CA chain of your directory server.

To enable secure connections to user directories:

  1. Ensure the directory-server certificate specifies the server DNS and/or IP addresses in the SubjectAltName field. You may do this with a test connection like the following (replace directory.example.com and 636 with the address and the port of the directory service):

    $ echo "Q" | \
    openssl s_client -connect directory.example.com:636 | \
    openssl x509 -noout -text

    Verify that the output contains the DNS and/or IP address(es) of the server, similar to the following:

    X509v3 Subject Alternative Name:
        DNS:directory.example.com, IP Address:192.0.2.10
  2. On the Administration→Directories page, Edit the directory for which you want to set up secure connections.

    Expand Advanced directory settings, then under Server authentication settings configure the following:

    • Add the CA chain of your directory server to Trust Anchors.

    • Deselect Skip server certificate validation.

    Click Save to apply your changes. Subsequent connections to the directory server are TLS-secured.

    After the changes you may verify the directory status back on the Settings→Directories page.

Adjusting User Matching

PrivX applies a default pre-filter for matching user records. You may adjust the pre-filter to affect what records are imported.

To override the pre-filter for a user directory, specify your custom User filter in the directory settings:

  1. On the Administration→Directories page, Edit your user directory.

  2. Under the Active directory settings section, specify a User filter for matching users on the user directory.

  3. Click Save to apply your changes. Your new User filter overrides the default pre-filter.

You can also change the default pre-filter globally from Administration→Settings:

  1. Select Role Store, then under the LDAP section look for the settings Default User Filter and LDAP Attributes Filter. These settings respectively specify what objects are recognized as users, and what fields are fetched from matching records.
default_user_filter = \
"(|(objectClass=user)(objectClass=person)(objectClass=inetOrgPerson))"
attributes = "objectClass cn dn distinguishedName ... "

For default OpenLDAP setup you could specify, for example, the following line with inetOrgPerson and posixAccount:

default_user_filter = "(&(objectClass=inetOrgPerson)(objectClass=posixAccount))"

If you are using two directories with different schemas, you can combine them for example as follows:

default_user_filter = "(|(&(objectClass=user)(objectClass=person))(&(objectClass=inetOrgPerson)(objectClass=posixAccount)))"

To allow rules in PrivX roles to match nested groups, you must enable Enable Nested Groups in Rolestore's LDAP settings.

  1. Restart PrivX services to apply any changes.
# systemctl restart privx

Refreshing Directory Data

User-directory changes are updated to PrivX in the following ways:

  • By default, PrivX refreshes directory data every 15 minutes. To adjust the refresh interval of a directory, go to Administration→Directories and Edit the target directory. Shortening the interval allows PrivX to detect user changes faster, while lenghtening the interval reduces system load.

  • To immediately refresh directory data, go to Administration→Directories and perform a Refresh action on the target directory.

Was this page helpful?