search cancel

AD Login Source - AD managed role and login

book

Article ID: 240096

calendar_today

Updated On:

Products

Data Loss Prevention Network Discover

Issue/Introduction

You are having trouble implementing AD-managed roles/logins to the console.  

Cause

This is not intended to replace, but to augment the administration guide. 

Please see the link under "additional information"

Resolution

Step by step guide for creating the AD managed role:

  1. Create a directory connection
  2. Create a user group using that directory connection
    • in 15.8, specify its intended for a role or policy
  3. add/modify a role and under the "users and groups" tab, specify the user group from the previous step
  4. In the data source management, you will create an "AD logins source".  This will only ask for a LDAP filter. 

See the below clarification for each component in this process.  NOTE: As of 15.8, this MUST use 389 or 636 (DC) rather than 3268 (GC)

  1. Directory connection
    • It's advised to not use the root of your AD, with the size of many enterprise AD, its common to see timeouts before it can index all users.  Specify the OU for the users in question.  This must contain the users you plan to import.
  2. User group
    • This is the scope of users you plan to import from the directory connection.  Specify the CN of your user group here.
  3. The role
    • All the users added in this process including those who are already in the console who are a part of the import will gain this directory connection. 
    • If there is a case mis-match in the name, the user name will be overwritten.  I.e. if you have a user with a an account name "someuser" presently in the console, and their AD has a sAMAccountName SOMEUSER, after the import the DLP user someuser will be replaced by SOMEUSER.  the later will be the new username to log into the console.
    • If a user already exists in the console, and has another non-ad managed role, then they will be added to the ad managed role in addition to their other roles.  When a user is excluded from the import filter in step 2 or step 4, they won't be deleted from the console but will just have the role removed. 
  4. Data Source management - Ad Login Source
    • This can further limit the users/objects imported.  It is hard coded to search for "sAMAccountType 805306368" which is a type of "person".  the format is as follows

      (&(LDAP_Search_1)(LDAP_Search_2)(LDAP_Search_n))
      (|(LDAP_Search_1)(LDAP_Search_2)(LDAP_Search_n))
      (!(LDAP_Search_1)(LDAP_Search_2)(LDAP_Search_n))
    • This is to further limit which users are pulled from the user group from step 2

Additional Information

Working with general settings