Importing users from LDAP

You can import Guardium® user definitions from one or more LDAP servers by configuring an operation that imports the set of users who need Guardium access.

You can run the import operation on demand, or schedule it to run on a periodic basis. You can elect to import only new users, or replace existing user definitions. In either case, LDAP groups can be imported as Guardium roles.

When you import LDAP users,

The Guardium admin user definition is not changed in any way.
Existing users are not deleted unless you select the Delete user if not on the import list option.
Guardium passwords are not changed.
New users who are added to Guardium:
- Are marked inactive by default.
- Have blank passwords.
- Are assigned the user role.

Notes:

You cannot use special characters in usernames.
When you add a user manually via access management (either from Add User or LDAP user import), if no given name or surname is provided, the login name is used.

Configuring the LDAP server connection

To open the LDAP User Import page, browse to Access > LDAP User Import from the Guardium access manager.

Note: To configure LDAP user import, the accessmgr user must have privileges to run the group builder. In certain situations, when changes are made to the role privileges, accessmgr's privilege to group builder can be removed In this case, you cannot save or run LDAP user import. From the access management portal, select Role Permissions. From Group Builder, select Roles. Make sure that either All Roles or accessmgr is selected.

To configure an LDAP server for user import, click to open the Create LDAP Configuration window. In the LDAP Config tab, enter the following information:
- LDAP host name - The IP address or host name for the LDAP server to access.
- Port - The port number for connecting to the LDAP server.
- Server type - The LDAP server type.
- Use SSL connection - Select if Guardium connects to your LDAP server using an SSL (secure socket layer) connection.
- Base DN - The node in the tree at which to begin searching for the LDAP server. The following example shows a Base DN entry for a company tree,
```
DC=encore,DC=corp,DC=root
```
- Log in as and Password The user account information that is needed to connect to the LDAP server.
- Search Filter Scope - Defines the search level. Select One-Level to apply the search to the base level only, or select Sub-Tree to include levels underneath the base level.
- Import Limit - The maximum number of items to return. Guardium recommends that you use this field only to test new queries or modifications to existing queries so that you do not inadvertently load an excessive number of members.
- Search Filter - Defines a base DN, scope, and search filter. Typically, imports are based on membership in an LDAP group, so you want to use the memberOF keyword. For example,
```
memberOf=CN=syyTestGroup,DC=encore,DC=corp,DC=root
```
- Disable user if not on the import list - Allows you to automatically disable users who are not explicitly added to Guardium.
Click Test Connection to test the connection to the LDAP server, and then Save to save your changes.

Configuring the import process

After you configure the connection to the LDAP server, select the Import Config tab to configure the process of importing users and roles from LDAP.

In the Import Config tab, enter the following information to import users:

LDAP host name - The IP address or host name of the LDAP server (from the LDAP Config tab).
Domain - A unique identifier for this LDAP server. The same user ID (sAMAccountName) might exist in more than one domain, so Guardium needs a way to distinguish between the users in separate domains. If an existing user is already loaded from another domain, the current LDAP domain is appended to the username from LDAP to create the Guardium user: <user>@<domain>.
In general, do not update the LDAP server domain after you import users because the domain might be part of the username. If you do update the LDAP server domain, Guardium updates any usernames from the old domain to the new domain (that is, from user@<old_domain> to <user@new_domain>).

Note: If your site is upgrading to Guardium 11.4 or later, you must populate the domain field after the upgrade.
Import mode - If you choose to import existing users, then select whether to keep or override the existing attributes for those users.
Delete user if not on the import list - Delete existing Guardium users who were previously imported from the same LDAP server, but are no longer in LDAP. Use this option to help keep Guardium users in sync with the LDAP server.
Enable new imported users - Enable users as soon as they are imported. If you do not select this option, then enable new users from the access manager User Browser.
User RDN Type - LDAP users are identified by the User RDN Type. The default User RDN type is uid. However, work with your Guardium administrator to determine what value to use.
Note: The following RDN values require special processing:
- For uid - Always specify the RDN type as uid=search. For example,
```
uid=search
```
- For sAMAccountName - Specify the RDN type as either =search or =[domain name] in the users' full names. For example,
```
sAMAccountName=search, sAMAccountName=dom
```
Object class for user - Search filter for object class of user DN in LDAP. For example,
```
(objectClass=organizationalPerson)(objectClass=inetOrgPerson)(objectClass=person)
```
For more information, see Configuring authentication.

Note: For any option that includes the Add defaults

icon, click Add defaults

to enter the default values.

To also import LDAP roles, select Import roles and then enter the information that you need:

Overwrite existing user roles - Synchronize user roles in Guardium with the role assignments in LDAP. Guardium internal roles are not updated or changed.
Attribute to import as role - The attribute to use for importing roles, such as CN. Each attribute has a name and belongs to an objectClass.
Role Search Base DN - The node in the tree at which to begin searching for roles. For example,
```
OU=groups,DC=encore,DC=corp,DC=root
```
Role Search filter - The search filter for roles.
Object class for role - The search filter for the object class of role DN in LDAP. For example,
```
 (objectClass=groupOfNames)(objectClass=group)(objectClass=groupOfUniqueNames)
```
Attribute in user to associate role - The attribute of user DN in LDAP that contains the user’s role entries. For example, memberOf.
Attribute in role to associate user - The attribute of role DN in LDAP that contains the member entries. For example, member.

When you are done, click Test Connection and then click Save.

Running an LDAP Query

After you configure LDAP or the import process, click Query LDAP to run a query against the selected LDAP server with any selected filters. The results display in the LDAP Query Result tab.

From LDAP Query Result, you can select one or more users to import into Guardium.

To import users from LDAP Query Result:

Run an LDAP query from either the LDAP Config or Import Config tabs.
From LDAP Query Result, select one or more users (or all users), and click to import the selected users.

Scheduling LDAP user import

After you configure the LDAP user import, you can create an import schedule.

From LDAP User Import, click Schedule to open the LDAP user import schedule window.
Create a schedule for importing LDAP users and roles. For more information about creating a schedule, see Scheduling. Select Run Once Now to import LDAP users immediately.

Deleting an LDAP connection

To delete an LDAP server connection, select the connection that you want to delete, and click Delete LDAP connection

CAUTION:

If you delete an LDAP server connection, you also delete all of the users who are imported from that server.

Guardium suggests that instead of deleting a server, you update the configuration. Select the server that you want to update and click Update configuration .