Environment


Aqua CSP  4.6/5.0


Problem

 

In certain situations the Aqua CSP administrator will not have access to the LDAP server and may be granted access per users rather than groups to create the role mapping between LDAP and Aqua.


Solution


This is an explanation from a specific case scenario on Aqua 4.6 and it is meant to provide guidelines to be able to understand the logic. This example should be adjusted to your environment characteristics


1) First we have received 2 users from our LDAP administrator. 


- aquauser (with specific permission set)

- aquaadmin (with administrator permissions)


2) we will create a group for the aquauser, 



3) Now when you go to your LDAP integration page, in roles you will be able to see this new group, and we will add the users on the Aqua Role/Group that we desire using the cn attribute, 



4) On User Attribute Mapping, observe that we will set "MemberOf " to "cn"


5) Group Attribute Mapping as below, 



6) With this we are able to validate both of the users without referring to an specific LDAP group, 



Related information

https://docs.aquasec.com/docs/active-directory-ldap-integration