Synchronizing data with an LDAP server
You can manually synchronize data between the IBM® QRadar® server and the LDAP authentication server.
About this task
If you use authorization that is based on user attributes or groups, user information is automatically imported from the LDAP server to the QRadar console.
Each group that is configured on the LDAP server must have a matching user role or security profile that is configured on the QRadar console. For each group that matches, the users are imported and assigned permissions that are based on that user role or security profile.
By default, synchronization happens every 24 hours. The timing for synchronization is based on the last run time. For example, if you manually run the synchronization at 11:45 PM, and set the synchronization interval to 8 hours, the next synchronization will happen at 7:45 AM. If the access permissions change for a user that is logged in when the synchronization occurs, the session becomes invalid. The user is redirected back to the login screen with the next request.
When synchronization is run and the system finds a user that is no longer in the LDAP server and is not set to Local Fallback or set as Local Only, that user is disabled in QRadar. If the user is set to Local Fallback or set as Local Only, then the user is not disabled but is flagged on the User Management page. A system notification is sent to inform the administrator of the change to the user account.
The administrator can address the flagged users through one of the following solutions.
- Modify the user in QRadar
- Change the authentication module
- Fix the user on the LDAP server, then run LDAP Sync in QRadar
- If the user is set as Local Fallback or Local Only, it is flagged but not disabled. That user must log in with local credentials to remove the flag.
Procedure
- On the Admin tab, click Authentication.
- Click Authentication Module Settings.
- From the Authentication Module list, select LDAP.
- Click .