Importing users from LDAP

You can import Guardium® user definitions from an LDAP server by configuring an operation that imports the set of users who need Guardium access.

You can run the import operation on demand, or schedule it to run on a periodic basis. You can elect to import only new users, or replace existing user definitions. In either case, LDAP groups can be imported as Guardium roles.

When you import LDAP users,

  • The Guardium admin user definition is not changed in any way.
  • Existing users are not deleted.
  • Guardium passwords are not changed.
  • New users who are added to Guardium:
    • Are marked inactive by default.
    • Have blank passwords.
    • Are assigned the user role.
Notes:
  • You cannot use special characters in usernames.
  • When you add a user manually via access management (either from Add User or LDAP user import), if no given name or surname is provided, the login name is used.
  • The LDAP configuration menu has tooltips for certain menu choices. Move the cursor over a menu choice (such as Object Class for user), and a short description appears.

Configuring LDAP user import

The attribute that is used to identify users is defined by the Guardium administrator, in the User RDN Type box of the LDAP Authentication Configuration window. For more information, see Configuring authentication. The default is uid, but consult with your Guardium administrator to determine what value is being used. If a user is using SamAccountName as the RDN value, the user must use either a =search or =[domain name] in the full name. Examples: SamAccountName=search, SamAccountName=dom

Note: To configure LDAP user import, the accessmgr user must have privileges to run the group builder. In certain situations, when changes are made to the role privileges, accessmgr's privilege to group builder can be removed In this case, you cannot save or run LDAP user import. From the access management portal, select Role Permissions. From Group Builder, select Roles. Make sure that either All Roles or accessmgr is selected.
  1. To open the LDAP User Import window, browse to Access > Access Management > LDAP User Import.
    Note: See Tivoli LDAP configuration example for a reference in filling out the required information.
  2. For LDAP Host Name, enter the IP address or hostname for the LDAP server to be accessed.
  3. For Port, enter the port number for connecting to the LDAP server.
  4. Select the LDAP server type from the Server Type menu.
  5. Select Use SSL Connection if Guardium connects to your LDAP server using an SSL (secure socket layer) connection.
  6. For Log in as - Enter the user account information to connect to the LDAP server. If anonymous access is enabled in LDAP, then this parameter is optional.
  7. For Base DN, specify the node in the tree at which to begin the search. For example, a company tree might begin like: DC=encore,DC=corp,DC=root
  8. For Import mode, either keep or override existing attributes.
    Important: The Override existing attributes and Keep existing attributes settings do not apply to user-role association.
    • If an imported role is removed locally on the Guardium system, it will be imported again at the next sync.
    • If a user is associated with a role in addition to any roles defined by the import, the association will remain even after the subsequent sync.
  9. For Attribute to Import, enter the attribute that is used to import users (for example: cn). Each attribute has a name and belongs to an objectClass.
  10. Check the Clear existing group members before importing checkbox if you want to delete all existing group members before importing.
  11. For Log In As and Password, enter the user account information to connect to the LDAP server.
  12. For Search Filter Scope, select One-Level to apply the search to the base level only, or select Sub-Tree to apply the search to levels beneath the base level.
  13. For Limit, enter the maximum number of items to be returned. Guardium recommends that you use this field to test new queries or modifications to existing queries so that you do not inadvertently load an excessive number of members.
  14. Optionally, for Search Filter, define a base DN, scope, and search filter. Typically, imports are based on membership in an LDAP group, so you would use the memberOF keyword. For example, memberOf=CN=syyTestGroup,DC=encore,DC=corp,DC=root
  15. Click Apply to save the configuration settings.
    Note: The Status indicator in the Configuration - General section changes to LDAP import currently set up for this group as follows and Modify Schedule and Run Once Now are enabled. You can now import from your LDAP server.

Scheduling LDAP user import

After you configure the LDAP user import, you can create an import schedule.

  1. From LDAP User Import, click Modify Schedule to open the LDAP user import schedule window.
  2. Create a schedule for importing LDAP users and roles. For more information about creating a schedule, see Scheduling. Select Run Once Now to import LDAP users immediately.

Running LDAP user import

When you run LDAP user import on demand, you have the opportunity to accept or reject each of the users who are returned by the query, which is especially useful for testing purposes. If LDAP Import is not yet configured, you must perform Configure LDAP User Import before you perform this procedure.

  1. Open the LDAP User Import window by clicking Access > Access Management > LDAP User Import.
  2. Click Run Once Now. After the task completes, the set of members that satisfy your selection criteria will be displayed in the LDAP Query Results window.
  3. In the LDAP Query Results window, mark the checkbox for each user you want added, and click Import (or click Cancel to return without importing any users).
  4. To view the added users, open the User Browser by clicking Access > Access Management > User Browser. Verify that the correct user accounts are added.

Tivoli LDAP configuration example

Table 1. Example of Tivoli LDAP Configuration
LDAP Host Name Values

Port

389

Server Type

Tivoli® Directory

Use SSL connection

 

Base DN

cn=sample realm,o=sample

Import Mode

Choose Override existing attributes

Disable user if not on import list

 

Enable new Imported Users

 

Log in as

cn=root

Password

 

Search filter scope

Sub-Tree

Limit

 

Attribute to Import as User Login

cn (Configurable through Portal)

Search filter

 

Object Class for User

Fill with Default Value - |(objectClass=organizationalPerson)(objectClass=inetOrgPerson)(objectClass=person)

Import Roles

Add a Checkmark

Attribute to Import as Role

cn

Role Search Base DB

Fill with Default Value - cn=sample realm,0=sample

Role filter

 

Object Class for Role

Fill with Default Value - |(objectClass=groupOfNames)(objectClass=group)(objectClass=groupOfUniqueNames)

Attribute in User to Associate Role

Fill with Default Value - memberOf

Attribute in Role to Associate User

Fill with Default Value - member