Versions Compared

Old Version 4

changes.mady.by.user Unknown User (anastasia.antonenko)

Saved on

compared with

New Version Current

changes.mady.by.user Unknown User (anastasia.antonenko)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: ALD Pro deleted.

This page describes how to set up Axidian Privilege integration with Active Directory, FreeIPA and OpenLDAP user directories.

To change the user catalog reading parameters, you need to edit the UserCatalog section in the Core and Idp configuration files.

Path to the Core configuration file:

WindowsC:\inetpub\wwwroot\pam\core\appsettings.json
Linux/etc/indeed/indeed-pam/core/appsettings.json


Path to the IdP configuration file:

WindowsC:\inetpub\wwwroot\pam\idp\appsettings.json
Linux/etc/indeed/indeed-pam/idp/appsettings.json

Setting up Integration with Active Directory

The configuration files initially contain settings for integration with Active Directory, no additional changes are required.

Setting Up a Search for Users Belonging to a Security Group

To set up a search for users belonging to a specified security group you need to configure the CatalogFilter parameter.

Code Block
titleExample of setting the parameter for one security group
"CatalogFilter": "memberOf=cn=Admins,CN=Builtin,DC=vdd,DC=com"


Code Block
titleExample of setting the parameter for multiple security groups
"CatalogFilter": "(|(memberOf=cn=Admins,CN=Builtin,DC=vdd,DC=com) (memberOf=cn=PrivelledgeAccounts,OU=Groups,DC=vdd,DC=com) (memberOf=cn=Admins1,OU=PAMUsers,DC=vdd,DC=com))"


The ContainerPath parameter must also be filled in, because only those users who are members of the OU that you specified in the value of the CatalogFilter parameter will be read.

Expand
titleExample of a UserCatalog section with security group filled in...


Code Block
"UserCatalog": {
  "RootProvider": "ad1",
  "Providers": {
    "Ldap": [
      {
        "Id": "ad1",
        "ConnectorType": "Ldap",
        "LdapServerType": "ActiveDirectory",
        "Domain": "indeed.test",
        "Port": 636,
        "AuthType": "Basic",
        "SecureSocketLayer": true,
        "ContainerPath": "OU=UsersPAM,DC=indeed,DC=test",
        "CatalogFilter": "memberOf=cn=SecurityGroup,OU=PAMUsers,DC=indeed,DC=test",
        "UserName": "IPAMADReadOps@indeed.test",
        "Password": "qwe123",
        "UserMapRules": {
          "Settings": [
            {
              "Category": "person",
              "Class": "user"
            }
          ]
        }
      }
    ]
  }
}



For more information on configuring the CatalogFilter parameter, see the Microsoft documentation.

Setting Up Integration with FreeIpa

To set up an integration with the FreeIPA user directory, users of the directory must have the following attributes:

  • entryUUID or ipaUniqueID
  • cn
  • entryDn
  • ipaNTSecurityIdentifier
  • krbPrincipalName
  • uid
Expand
titleExample of the UserCatalog section for FreeIPA or AldPro user directory...


Code Block
{
  "Id": "ad",
  "ConnectorType": "Ldap",
  "LdapServerType": "FreeIpa",
  "Domain": "ald.sup", // Name of the domain or specific controller
  "Port": 389, // 389 for connecting via LDAP, 636 for connecting via LDAPS
  "AuthType": "Basic",
  "SecureSocketLayer": false,// false for connecting via LDAP, true for connecting via LDAPS
  "ContainerPath": "dc=ald,dc=sup",
  "UserName": "uid=pamread,cn=users,cn=accounts,dc=ald,dc=sup", // Domain access credentials. Must be in distiguishedName format, the account must have read permissions for the required attributes
  "Password": "Q1w2e3r4", // Account password to access the domain
  "GroupMapRules": {
    "Settings": [
     {
      "Category": "",
      "Class": "ipantgroupattrs"
      }
    ],
    "Attributes": {
      "Id": "ipaUniqueID",
      "Name": "cn",
      "SamAccountName": "cn",
      "CanonicalName": "cn",
      "DistinguishedName": "entryDn",
      "SidBytes": "ipaNTSecurityIdentifier"
     }
    },
    "UserMapRules": {
      "Settings": [
       {
        "Category": "",
        "Class": "person"
       }
      ],
      "Attributes": {
        "Id": "ipaUniqueID",
        "Name": "cn",
        "PrincipalName": "krbPrincipalName",
        "SamAccountName": "uid",
        "DistinguishedName": "entryDn",
        "SidBytes": "ipaNTSecurityIdentifier",
        "ThumbnailPhoto": "jpegPhoto",
        "JpegPhoto": "jpegPhoto"
       }
    }
}



If directory users have an entryUUID attribute and have no ipaUniqueID attribute, then in the GroupMapRules and UserMapRules sections in the Attributes section, you need to remove the "Id": "ipaUniqueID" parameter.

Setting Up Integration with OpenLDAP

To set up an integration with the OpenLDAP  user directory, users of the directory must have the following attributes:

  • cn
  • entryDn
  • uid

Example of the UserCatalog section for OpenLDAP user directory

Expand
titleExample of the UserCatalog section for OpenLDAP user directory...


Code Block
{
  "Id": "oldap",
  "ConnectorType": "Ldap",
  "LdapServerType": "OpenLdap",
  "Domain": "oldap.local", // Name of the domain or specific controller
  "Port": 389, // 389 for connecting via LDAP, 636 for connecting via LDAPS
  "AuthType": "Basic",
  "SecureSocketLayer": false, // false for connecting via LDAP, true for connecting via LDAPS 
  "ContainerPath": "DC=oldap,DC=local",
  "UserName": "cn=IPAMADReadOps,dc=oldap,dc=local", // Domain access credentials. Must be in distiguishedName format, the account must have read permissions for the required attributes 
  "Password": "QWEqwe123", // Account password to access the domain
  "GroupMapRules": {
    "Settings": [
      {
        "Category": "",
        "Class": "groupOfUniqueNames"
      }
    ],
    "Attributes": {
      "Name": "cn",
      "SamAccountName": "cn",
      "CanonicalName": "cn",
      "DistinguishedName": "entryDn",
      "Members": "uniqueMember"
    }
  },
  "UserMapRules": {
    "Settings": [
      {
        "Category": "",
        "Class": "inetOrgPerson"
      }
    ],
    "Attributes": {
      "Name": "cn",
      "SamAccountName": "uid",
      "DistinguishedName": "entryDn",
      "ThumbnailPhoto": "photo",
      "JpegPhoto": "photo"
    }
  }
}


Setting Up an Integration with Multiple User Directories

To set up an integration with multiple user directories, please follow these steps:

  1. Change the RootProvider parameter value to "orUCP".
  2. In the Ldap section, list the user directories with which integration is required, separated by commas. Provider IDs must not match. The IDs of the providers that PAM previously worked with should not change.
  3. Add the Or section from the example below, in which write the Ids of the providers sections.
Expand
titleExample of the UserCatalog section for multiple user directories...


Code Block
"UserCatalog": {
    "RootProvider": "orUCP",
    "Providers": {
      "Ldap": [
        {
          "Id": "ad",
          "ConnectorType": "Ldap",
          "LdapServerType": "ActiveDirectory",
          "Domain": "indeed.test",
          "Port": 636,
          "AuthType": "Basic",
          "SecureSocketLayer": true,
          "ContainerPath": "OU=UsersPAM,DC=indeed,DC=test",
          "UserName": "IPAMADReadOps@indeed.test",
          "Password": "qwe123",
          "UserMapRules": {
            "Settings": [
              {
                "Category": "person",
                "Class": "user"
              }
            ]
          }
        },
        {
          "Id": "ad2",
          "ConnectorType": "Ldap",
          "LdapServerType": "ActiveDirectory",
          "Domain": "indeed.test",
          "Port": 636,
          "AuthType": "Basic",
          "SecureSocketLayer": true,
          "ContainerPath": "OU=UsersPAM,DC=indeed,DC=test",
          "UserName": "IPAMADReadOps@indeed.test",
          "Password": "qwe123",
          "UserMapRules": {
            "Settings": [
              {
                "Category": "person",
                "Class": "user"
              }
            ]
          }
        },
        {
          "Id": "ipa",
          "ConnectorType": "Ldap",
          "LdapServerType": "FreeIpa",
          "Domain": "ipa.redos",
          "Port": 389,
          "AuthType": "Basic",
          "SecureSocketLayer": false,
          "ContainerPath": "DC=ipa,DC=redos",
          "UserName": "uid=IPAMADReadOps,cn=users,cn=accounts,dc=ipa,dc=redos",
          "Password": "qwe123",
          "GroupMapRules": {
            "Settings": [
              {
                "Category": "",
                "Class": "ipantgroupattrs"
              }
            ],
            "Attributes": {
              "Name": "cn",
              "SamAccountName": "cn",
              "CanonicalName": "cn",
              "DistinguishedName": "entryDn",
              "SidBytes": "ipaNTSecurityIdentifier"
            }
          },
          "UserMapRules": {
              "Settings": [
                {
                  "Category": "",
                  "Class": "person"
                }
              ],
              "Attributes": {
                  "Name": "cn",
                  "PrincipalName": "krbPrincipalName",
                  "SamAccountName": "uid",
                  "DistinguishedName": "entryDn",
                  "SidBytes": "ipaNTSecurityIdentifier",
                  "ThumbnailPhoto": "jpegPhoto",
                  "JpegPhoto": "jpegPhoto"
              }
          }
        }
      ],
      "Or": [
        {
          "Id": "orUCP",
          "Providers": {
            "ad": {"IgnoreExceptions": true},
            "ad2": {"IgnoreExceptions": true},
            "ipa": {"IgnoreExceptions": true}
          }
        }
      ]
    }
  }