Environment/Affected Version


Aqua CSP  


Applicable Versions


4.2/4.5/4.6


Problem

 

In some organisations Aqua administrator might need to be able to configure Active Directory authentication that allows search through nested groups, check the example below, 


At the moment, if you try to configure LDAP authentication you will need to add every specific group to the actual role mapping to be able to access to those groups and assign the desired aqua role,

 

In this way you will have administrator aqua role on all the users (admin, aquaadmin, sub1, sub2, sub3) above specified, basically it needs to match the Active Directory group to be able to pull just the users that belong to that specific group.


Solution

If search through nested groups is needed you could configure the authentication as "Active directory", 



Add the sAMAccountName of the group at the top of the nested groups in the "Role Mapping section",


and this configuration will allow all the above users (admin, aquaadmin, sub1, sub2, sub3)  to pass the validation and as result to be used to get access to the Aqua GUI.


An Request For Enhancement (RFE) (SLK-23872) has been raised to provide this capability to the LDAP configuration as well, please check support for further information on this new feature.

 

Related information

https://docs.aquasec.com/docs/active-directory-ldap-integration