This page describes how to set up Axidian Privilege integration with Active Directory, FreeIPA and OpenLDAP user directories.

To change the user catalog reading parameters, you need to edit the UserCatalog section in the Core and Idp configuration files.

Path to the Core configuration file:

WindowsC:\inetpub\wwwroot\pam\core\appsettings.json
Linux/etc/indeed/indeed-pam/core/appsettings.json


Path to the IdP configuration file:

WindowsC:\inetpub\wwwroot\pam\idp\appsettings.json
Linux/etc/indeed/indeed-pam/idp/appsettings.json

Setting up Integration with Active Directory

The configuration files initially contain settings for integration with Active Directory, no additional changes are required.

Setting Up a Search for Users Belonging to a Security Group

To set up a search for users belonging to a specified security group you need to configure the CatalogFilter parameter.

"CatalogFilter": "memberOf=cn=Admins,CN=Builtin,DC=vdd,DC=com"


"CatalogFilter": "(|(memberOf=cn=Admins,CN=Builtin,DC=vdd,DC=com) (memberOf=cn=PrivelledgeAccounts,OU=Groups,DC=vdd,DC=com) (memberOf=cn=Admins1,OU=PAMUsers,DC=vdd,DC=com))"


The ContainerPath parameter must also be filled in, because only those users who are members of the OU that you specified in the value of the CatalogFilter parameter will be read.


"UserCatalog": {
  "RootProvider": "ad1",
  "Providers": {
    "Ldap": [
      {
        "Id": "ad1",
        "ConnectorType": "Ldap",
        "LdapServerType": "ActiveDirectory",
        "Domain": "indeed.test",
        "Port": 636,
        "AuthType": "Basic",
        "SecureSocketLayer": true,
        "ContainerPath": "OU=UsersPAM,DC=indeed,DC=test",
        "CatalogFilter": "memberOf=cn=SecurityGroup,OU=PAMUsers,DC=indeed,DC=test",
        "UserName": "IPAMADReadOps@indeed.test",
        "Password": "qwe123",
        "UserMapRules": {
          "Settings": [
            {
              "Category": "person",
              "Class": "user"
            }
          ]
        }
      }
    ]
  }
}



For more information on configuring the CatalogFilter parameter, see the Microsoft documentation.

Setting Up Integration with FreeIpa

To set up an integration with the FreeIPA user directory, users of the directory must have the following attributes:

  • entryUUID or ipaUniqueID
  • cn
  • entryDn
  • ipaNTSecurityIdentifier
  • krbPrincipalName
  • uid


{
  "Id": "ad",
  "ConnectorType": "Ldap",
  "LdapServerType": "FreeIpa",
  "Domain": "ald.sup", // Name of the domain or specific controller
  "Port": 389, // 389 for connecting via LDAP, 636 for connecting via LDAPS
  "AuthType": "Basic",
  "SecureSocketLayer": false,// false for connecting via LDAP, true for connecting via LDAPS
  "ContainerPath": "dc=ald,dc=sup",
  "UserName": "uid=pamread,cn=users,cn=accounts,dc=ald,dc=sup", // Domain access credentials. Must be in distiguishedName format, the account must have read permissions for the required attributes
  "Password": "Q1w2e3r4", // Account password to access the domain
  "GroupMapRules": {
    "Settings": [
     {
      "Category": "",
      "Class": "ipantgroupattrs"
      }
    ],
    "Attributes": {
      "Id": "ipaUniqueID",
      "Name": "cn",
      "SamAccountName": "cn",
      "CanonicalName": "cn",
      "DistinguishedName": "entryDn",
      "SidBytes": "ipaNTSecurityIdentifier"
     }
    },
    "UserMapRules": {
      "Settings": [
       {
        "Category": "",
        "Class": "person"
       }
      ],
      "Attributes": {
        "Id": "ipaUniqueID",
        "Name": "cn",
        "PrincipalName": "krbPrincipalName",
        "SamAccountName": "uid",
        "DistinguishedName": "entryDn",
        "SidBytes": "ipaNTSecurityIdentifier",
        "ThumbnailPhoto": "jpegPhoto",
        "JpegPhoto": "jpegPhoto"
       }
    }
}



If directory users have an entryUUID attribute and have no ipaUniqueID attribute, then in the GroupMapRules and UserMapRules sections in the Attributes section, you need to remove the "Id": "ipaUniqueID" parameter.

Setting Up Integration with OpenLDAP

To set up an integration with the OpenLDAP  user directory, users of the directory must have the following attributes:

  • cn
  • entryDn
  • uid

Example of the UserCatalog section for OpenLDAP user directory


{
  "Id": "oldap",
  "ConnectorType": "Ldap",
  "LdapServerType": "OpenLdap",
  "Domain": "oldap.local", // Name of the domain or specific controller
  "Port": 389, // 389 for connecting via LDAP, 636 for connecting via LDAPS
  "AuthType": "Basic",
  "SecureSocketLayer": false, // false for connecting via LDAP, true for connecting via LDAPS 
  "ContainerPath": "DC=oldap,DC=local",
  "UserName": "cn=IPAMADReadOps,dc=oldap,dc=local", // Domain access credentials. Must be in distiguishedName format, the account must have read permissions for the required attributes 
  "Password": "QWEqwe123", // Account password to access the domain
  "GroupMapRules": {
    "Settings": [
      {
        "Category": "",
        "Class": "groupOfUniqueNames"
      }
    ],
    "Attributes": {
      "Name": "cn",
      "SamAccountName": "cn",
      "CanonicalName": "cn",
      "DistinguishedName": "entryDn",
      "Members": "uniqueMember"
    }
  },
  "UserMapRules": {
    "Settings": [
      {
        "Category": "",
        "Class": "inetOrgPerson"
      }
    ],
    "Attributes": {
      "Name": "cn",
      "SamAccountName": "uid",
      "DistinguishedName": "entryDn",
      "ThumbnailPhoto": "photo",
      "JpegPhoto": "photo"
    }
  }
}


Setting Up an Integration with Multiple User Directories

To set up an integration with multiple user directories, please follow these steps:

  1. Change the RootProvider parameter value to "orUCP".
  2. In the Ldap section, list the user directories with which integration is required, separated by commas. Provider IDs must not match. The IDs of the providers that PAM previously worked with should not change.
  3. Add the Or section from the example below, in which write the Ids of the providers sections.


"UserCatalog": {
    "RootProvider": "orUCP",
    "Providers": {
      "Ldap": [
        {
          "Id": "ad",
          "ConnectorType": "Ldap",
          "LdapServerType": "ActiveDirectory",
          "Domain": "indeed.test",
          "Port": 636,
          "AuthType": "Basic",
          "SecureSocketLayer": true,
          "ContainerPath": "OU=UsersPAM,DC=indeed,DC=test",
          "UserName": "IPAMADReadOps@indeed.test",
          "Password": "qwe123",
          "UserMapRules": {
            "Settings": [
              {
                "Category": "person",
                "Class": "user"
              }
            ]
          }
        },
        {
          "Id": "ad2",
          "ConnectorType": "Ldap",
          "LdapServerType": "ActiveDirectory",
          "Domain": "indeed.test",
          "Port": 636,
          "AuthType": "Basic",
          "SecureSocketLayer": true,
          "ContainerPath": "OU=UsersPAM,DC=indeed,DC=test",
          "UserName": "IPAMADReadOps@indeed.test",
          "Password": "qwe123",
          "UserMapRules": {
            "Settings": [
              {
                "Category": "person",
                "Class": "user"
              }
            ]
          }
        },
        {
          "Id": "ipa",
          "ConnectorType": "Ldap",
          "LdapServerType": "FreeIpa",
          "Domain": "ipa.redos",
          "Port": 389,
          "AuthType": "Basic",
          "SecureSocketLayer": false,
          "ContainerPath": "DC=ipa,DC=redos",
          "UserName": "uid=IPAMADReadOps,cn=users,cn=accounts,dc=ipa,dc=redos",
          "Password": "qwe123",
          "GroupMapRules": {
            "Settings": [
              {
                "Category": "",
                "Class": "ipantgroupattrs"
              }
            ],
            "Attributes": {
              "Name": "cn",
              "SamAccountName": "cn",
              "CanonicalName": "cn",
              "DistinguishedName": "entryDn",
              "SidBytes": "ipaNTSecurityIdentifier"
            }
          },
          "UserMapRules": {
              "Settings": [
                {
                  "Category": "",
                  "Class": "person"
                }
              ],
              "Attributes": {
                  "Name": "cn",
                  "PrincipalName": "krbPrincipalName",
                  "SamAccountName": "uid",
                  "DistinguishedName": "entryDn",
                  "SidBytes": "ipaNTSecurityIdentifier",
                  "ThumbnailPhoto": "jpegPhoto",
                  "JpegPhoto": "jpegPhoto"
              }
          }
        }
      ],
      "Or": [
        {
          "Id": "orUCP",
          "Providers": {
            "ad": {"IgnoreExceptions": true},
            "ad2": {"IgnoreExceptions": true},
            "ipa": {"IgnoreExceptions": true}
          }
        }
      ]
    }
  }