User is Not Assigned to a Team When Logging in with LDAP
Article ID: 377598
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
When a new user logs into the EDR server, they are presented with a default page with very limited access and no teams listed.
Environment
- Carbon Black EDR Console: All Supported Versions
- LDAP
Cause
Team mappings do not match what is sent by the IdP or the team does not already exist.
Resolution
- Enable LDAP debug logging: Enable Debug Logging for LDAP Configuration
- Request the user to log back into the console.
- In the /var/log/cb/coreservices/debug.log, look for the message "AD user info response".
- Example:
AD user info response: ['cn=cbadmins,ou=cb-edr,dc=myad,dc=local','cn=admin,ou=my-companyr,dc=myad,dc=local']
- Example:
- Two items are needed to properly assign a user to a team.
- The team mappings need to match exactly what is being sent. LDAP is sending each group the user is assigned in a list format ['group1','group2']. Case sensitive.
- The team(s) entered in teams:[] must already exist in the console and must be entered exactly as seen. Case sensitive.
- Open /etc/cb/sso/attr_map.ldap.py and modify the user group to match the AD group to be assigned.
- Example, the first group with cn=cbadmins will be used to determine this user will be part of analysts and a global_admin:
'cn=cbadmins,ou=cb-edr,dc=myad,dc=local': { 'teams': ['Analyst'], 'permissions': ['global_admin'] }
- Example, the first group with cn=cbadmins will be used to determine this user will be part of analysts and a global_admin:
- Each additional team mapping will need to be created in a dictionary format, separated by a comma.
- Example, a new mapping of cn=cbanalyst will be added to put a matching user in the analyst group with no advanced permissions
team_mappings = { 'cn=cbadmins,ou=cb-edr,dc=myad,dc=local': { 'teams': ['Anaylsts'], 'permissions': ['global_admin'] }, 'cn=cbanalyst,ou=cb-edr,dc=myad,dc=local': { 'teams': ['Analysts'], 'permissions': [] }
- Example, a new mapping of cn=cbanalyst will be added to put a matching user in the analyst group with no advanced permissions
- Changes made to the attr_map.ldap.py can be ingested with a restart of cb-coreservices.(primary only for clustered)
/usr/share/cb/cbservice cb-coreservices restart - Disable the debug logs set in step 1 after verifying the user is properly assigned.
Feedback
Yes
No
Powered by
