Importing users from LDAP
You can import Guardium® user definitions from one or more LDAP servers by configuring an operation that imports the set of users who need Guardium access.
You can run the import operation on demand, or schedule it to run on a periodic basis. You can elect to import only new users, or replace existing user definitions. In either case, LDAP groups can be imported as Guardium roles.
When you import LDAP users,
- The Guardium admin user definition is not changed in any way.
- Existing users are not deleted unless you select the Delete user if not on the import list option.
- Guardium passwords are not changed.
- New users who are added to Guardium:
- Are marked inactive by default.
- Have blank passwords.
- Are assigned the user role.
- You cannot use special characters in usernames.
- When you add a user manually via access management (either from Add User or LDAP user import), if no given name or surname is provided, the login name is used.
Configuring the LDAP server connection
To open the LDAP User Import page, browse to from the Guardium access manager.- To configure an LDAP server for user import, click to open the Create LDAP Configuration
window. In the LDAP Config tab, enter the following information:
- LDAP host name - The IP address or host name for the LDAP server to access.
- Port - The port number for connecting to the LDAP server.
- Server type - The LDAP server type.
- Use SSL connection - Select if Guardium connects to your LDAP server using an SSL (secure socket layer) connection.
- Base DN - The node in the tree at which to begin searching for the LDAP
server. The following example shows a Base DN entry for a company
tree,
DC=encore,DC=corp,DC=root
- Log in as and Password The user account information that is needed to connect to the LDAP server.
- Search Filter Scope - Defines the search level. Select One-Level to apply the search to the base level only, or select Sub-Tree to include levels underneath the base level.
- Import Limit - The maximum number of items to return. Guardium recommends that you use this field only to test new queries or modifications to existing queries so that you do not inadvertently load an excessive number of members.
- Search Filter - Defines a base DN, scope, and search filter. Typically,
imports are based on membership in an LDAP group, so you want to use the memberOF
keyword. For example,
memberOf=CN=syyTestGroup,DC=encore,DC=corp,DC=root
- Disable user if not on the import list - Allows you to automatically disable users who are not explicitly added to Guardium.
- Click Test Connection to test the connection to the LDAP server, and then Save to save your changes.
Configuring the import process
After you configure the connection to the LDAP server, select the Import Config tab to configure the process of importing users and roles from LDAP.
- LDAP host name - The IP address or host name of the LDAP server (from the LDAP Config tab).
- Domain - A unique identifier for this LDAP server. The same user ID
(sAMAccountName) might exist in more than one domain, so Guardium needs
a way to distinguish between the users in separate domains. If an existing user is already loaded
from another domain, the current LDAP domain is appended to the username from LDAP to create the
Guardium user: <user>@<domain>.
In general, do not update the LDAP server domain after you import users because the domain might be part of the username. If you do update the LDAP server domain, Guardium updates any usernames from the old domain to the new domain (that is, from user@<old_domain> to <user@new_domain>).
Note: If your site is upgrading to Guardium 11.4 or later, you must populate the domain field after the upgrade. - Import mode - If you choose to import existing users, then select whether to keep or override the existing attributes for those users.
- Delete user if not on the import list - Delete existing Guardium users who were previously imported from the same LDAP server, but are no longer in LDAP. Use this option to help keep Guardium users in sync with the LDAP server.
- Enable new imported users - Enable users as soon as they are imported. If you do not select this option, then enable new users from the access manager User Browser.
- User RDN Type - LDAP users are identified by the User RDN
Type. The default User RDN type is uid. However, work with your
Guardium administrator to determine what value to use. Note: The following RDN values require special processing:
- For uid - Always specify the RDN type as uid=search.
For example,
uid=search
- For sAMAccountName - Specify the RDN type as either
=search or =[domain name] in the users' full names.
For example,
sAMAccountName=search, sAMAccountName=dom
- For uid - Always specify the RDN type as uid=search.
For example,
- Object class for user - Search filter for object class of user DN in
LDAP. For
example,
(objectClass=organizationalPerson)(objectClass=inetOrgPerson)(objectClass=person)
For more information, see Configuring authentication.
- Overwrite existing user roles - Synchronize user roles in Guardium with the role assignments in LDAP. Guardium internal roles are not updated or changed.
- Attribute to import as role - The attribute to use for importing roles, such as CN. Each attribute has a name and belongs to an objectClass.
- Role Search Base DN - The node in the tree at which to begin searching
for roles. For example,
OU=groups,DC=encore,DC=corp,DC=root
- Role Search filter - The search filter for roles.
- Object class for role - The search filter for the object class of role DN
in LDAP. For
example,
(objectClass=groupOfNames)(objectClass=group)(objectClass=groupOfUniqueNames)
- Attribute in user to associate role - The attribute of user DN in LDAP
that contains the user’s role entries. For example,
memberOf
. - Attribute in role to associate user - The attribute of role DN in LDAP
that contains the member entries. For example,
member
.
When you are done, click Test Connection and then click Save.
Running an LDAP Query
After you configure LDAP or the import process, click Query LDAP to run a query against the selected LDAP server with any selected filters. The results display in the LDAP Query Result tab.
From LDAP Query Result, you can select one or more users to import into Guardium.
- Run an LDAP query from either the LDAP Config or Import Config tabs.
- From LDAP Query Result, select one or more users (or all users), and click to import the selected users.
Scheduling LDAP user import
After you configure the LDAP user import, you can create an import schedule.
- From LDAP User Import, click Schedule to open the LDAP user import schedule window.
- Create a schedule for importing LDAP users and roles. For more information about creating a schedule, see Scheduling. Select Run Once Now to import LDAP users immediately.
Deleting an LDAP connection
Guardium suggests that instead of deleting a server, you update the configuration. Select the server that you want to update and click .