Importing Users from LDAP
You can import Guardium® user definitions from an LDAP server by configuring an import operation to obtain the appropriate set of users.
You can run the import operation on demand, or schedule it to run on a periodic basis. You can elect to have only new users imported, or you can have existing user definitions replaced. In either case, LDAP groups can be imported as Guardium roles.
When importing LDAP users:
- The Guardium admin user definition will not be changed in any way.
- Existing users will not be deleted (in other words, the entire set of users is not replaced by the set imported from LDAP).
- Guardium passwords will not be changed.
- New users being added to Guardium:
- Will be marked inactive by default
- Will have blank passwords
- Will be assigned the user role
Special characters in a user name is not supported.
When adding a user manually via Access Management (either from Add User or LDAP user import), if there is no first name and/or last name, the login name will be used.
This LDAP configuration menu screen has tool tips for certain menu choices. Move the cursor over a menu choice (such as Object Class for user), and a short description will appear.
Guardium CLI users can not authenticate in the LDAP environment, as there is no privilege separation for the CLI users.
Configure LDAP User Import
The attribute that will be used to identify users is defined by the Guardium administrator, in the User RDN Type box of the LDAP Authentication Configuration panel. See Configure LDAP Authentication for further information. The default is uid, but you should consult with your Guardium administrator to determine what value is being used. If a user is using SamAccountName as the RDN value, the user must use either a =search or =[domain name] in the full name. Examples: SamAccountName=search, SamAccountName=dom
- Open the LDAP User Import panel by clicking .
See Example of Tivoli® LDAP Configuration at the end of this help topic for reference in filling out the required information.
- For LDAP Host Name, enter the IP address or host name for the LDAP server to be accessed.
- For Port, enter the port number for connecting to the LDAP server.
- Select the LDAP server type from the menu.
- Check the Use SSL Connection check box if Guardium is to connect to your LDAP server using an SSL (secure socket layer) connection.
- For Base DN, specify the node in the tree at which to begin the search. For example, a company tree might begin like: DC=encore,DC=corp,DC=root
- For Attribute to Import, enter the attribute that will be used to import users (for example: cn). Each attribute has a name and belongs to an objectClass.
- Check the Clear existing group members before importing check box if you want to delete all existing group members before importing.
- For Log In As and Password, enter the user account information that will connect to the Guardium server.
- For Search Filter Scope, select One-Level to apply the search to the base level only, or select Sub-Tree to apply the search to levels beneath the base level.
- For Limit, enter the maximum number of items to be returned. We recommend that you use this field to test new queries or modifications to existing queries, so that you do not inadvertently load an excessive number of members.
- Optional: For Search Filter, define a base DN, scope, and search filter. Typically, imports will be based on membership in an LDAP group, so you would use the memberOF keyword. For example: memberOf=CN=syyTestGroup,DC=encore,DC=corp,DC=root
- Click Apply to save the configuration settings.Note: The Status indicator in the Configuration - General section will change to LDAP import currently set up for this group as follows and the Modify Schedule and Run Once Now buttons will be enabled. You can now import from your LDAP server.
Schedule LDAP User Import
If LDAP Import has not yet been configured, you must perform Configure LDAP User Import before performing this procedure.
- Open the LDAP User Import panel by clicking .
Run LDAP User Import
When you run LDAP user import on demand, you have the opportunity to accept or reject each of the users returned by the query. This is especially useful for testing purposes. If LDAP Import has not yet been configured, you must perform Configure LDAP User Import before performing this procedure.
- Open the LDAP User Import panel by clicking .
- Click Run Once Now. After the task completes, the set of members satisfying your selection criteria will be displayed in the LDAP Query Results panel.
- In the LDAP Query Results panel, mark the check box for each user you want added, and click Import (or click Cancel to return without importing any users).
- To view the added users, open the User Browser by clicking . Verify that the correct user accounts have been added.
Example of Tivoli LDAP Configuration
| LDAP Host Name | Values |
|---|---|
Port |
389 |
Server Type |
Tivoli Directory |
Use SSL connection |
|
Base DN |
cn=sample realm,o=sample |
Import Mode |
Choose Override existing attributes |
Disable user if not on import list |
|
Enable new Imported Users |
|
Log in as |
cn=root |
Password |
|
Search filter scope |
Sub-Tree |
Limit |
|
Attribute to Import as User Login |
cn (Configurable through Portal) |
Search filter |
|
Object Class for User |
Fill with Default Value - |(objectClass=organizationalPerson)(objectClass=inetOrgPerson)(objectClass=person) |
Import Roles |
Add a Checkmark |
Attribute to Import as Role |
cn |
Role Search Base DB |
Fill with Default Value - cn=sample realm,0=sample |
Role filter |
|
Object Class for Role |
Fill with Default Value - |(objectClass=groupOfNames)(objectClass=group)(objectClass=groupOfUniqueNames) |
Attribute in User to Associate Role |
Fill with Default Value - memberOf |
Attribute in Role to Associate User |
Fill with Default Value - member |