Summary

This article provides a step by step guide to configuring an Active Directory connection via LDAP in Aqua Enterprise.


It is important to note that it is recommended to integrate Active Directory via Aqua's Active Directory connector, and the option as presented in this article can be performed per any necessity or preference.


Environment

Aqua CSP 4.6

Microsoft Server 2016 AD and 


Solution

Microsoft AD Configuration

Domain name Attributes

Domain name example: aqua.local

 

 

distinguishedName[4]

DC=aqua,DC=local


User Attributes

Username example: aquauser

 

View all relevant attributes by adding ‘backlinks’ in the Filter:



displayName[1]

aquauser

 

distinguishedName[2]

CN=aquauser,CN=Users,DC=aqua,DC=local

 

cn[3]

aquauser

 

sAMAccountName[4]

aquauser

 

memberOf[5]

CN=aquauser,CN=Users,DC=aqua,DC=local

 

userPrincipalName[6]

aquauser@aqua.local


Group Attributes


 

Group name example: AquaAdmin[2]


sAMAccountName[5]

AquaAdmin

distinguishedName[6]

CN=AquaAdmin,CN=Users,DC=aqua,DC=local

member[7]

list of user’s details including their:

        distinguishedName[8]

objectClass[9]

top; group


Aqua Configuration

Go to System --> Integration --> LDAP Authentication


Connection Tab

  1. Enable LDAP authentication
  2. Select LDAP
  3. Host IP of the LDAP/AD server
  4. Port number of the LDAP/AD server (default: 389)
  5. The Domain base distinguishedName
  6. Object Class to search for the username: &(objectClass=organizationalPerson)(objectClass=person)
  7. The username with at least read only to user and group object classes as found in attribute: dN (for other LDAP servers) or displayName or userPrincipalName (for Microsoft AD)
  8. The user’s password
  9. Click the ‘Test’ button to verify the connection details to the LDAP/AD details are correct.
  10. Click the ‘Save’ button once the test message ‘Connection successfully established’ appears

 

Role Mapping Tab

Enter the group dN (for other LDAP servers) or sAMAccountName (for Microsoft AD) to bind it to any of the Aqua Groups.

  1. As an example the group name ‘AquaAdmin’ was added to the Aqua Administrator Group

   

User Attribute Mapping Tab

Bind the user’s attribute to the proper attribute in Aqua’s configuration

  1. User Account Attribute Name: sAMAccountName
  2. User MemberOf Attribute Name: memberOf
  3. User Display Name Attribute Name: cn
  4. User Full DN Attribute Name (optional) distinguishedName

  

Group Attribute Mapping Tab

Optional - Used as a fail-over option for when the information in the ‘User Attribute Mapping’ tab does not resolve the user details.

  1. The group’s attribute objects where the users list is located: member
  2. The group’s username Name attribute: distinguishedName
  3. Group Object Class: &(objectClass=top)(objectClass=group)
  4. Click the ‘Save’ button to save the configuration.

Validation Tab

  1. Enter the login username to validate
  2. Enter the user’s password
  3. Press the ‘Login Validation’ button to test log in of the relevant user