Run LDAP User Import (on demand)
You can import Guardium user definitions from an LDAP server by configuring an import operation to obtain the appropriate set of users. You can run the import operation on demand, or schedule it to run on a periodic basis. You can elect to have only new users imported, or you can have existing user definitions replaced. In either case, LDAP groups can be imported as Guardium roles.
When importing LDAP users:
The Guardium admin user definition will not be changed in any way.
Existing users will not be deleted (in other words, the entire set of users is not replaced by the set imported from LDAP).
Guardium passwords will not be changed.
New users being added to Guardium:
Will be marked inactive
Will have blank passwords
Will be assigned the user role
Select Access Management > LDAP Import to open the LDAP User Import panel.
In the LDAP Host Name box, enter the IP address or host name for the LDAP server to be accessed.
In the Port box, enter the port number for connecting to the LDAP server.
Select the LDAP server type from the Server Type list.
Mark the Use SSL Connection
checkbox if Guardium is to connect to your LDAP server using an SSL (secure
socket layer) connection.
Note: Consult with your LDAP administrator
regarding the setup within your LDAP infrastructure to determine the connection
method used in your environment.
In the Base DN box, specify the node in the tree at which to begin the search; for example a company tree might begin like this: DC=encore,DC=corp,DC=root
Optionally mark the Enable Upon Import box if you want imported users to be enabled immediately. The default is for users to be added disabled, which means you will have to enable them manually. This is the approach that is generally taken when you have to supply a password for the Guardium user account. On the other hand, if LDAP password authentication is being used, there is no need to manually input a password for the Guardium user definition, so in that case you may prefer to mark this checkbox.
For Import Mode, select Add on to add, but not replace member information, or select Override to replace existing member information. Regardless of the selection, no members will be deleted.
In the Log In As box, enter the user account to use for the connection from the Guardium server.
In the Password box, enter the password for the above user.
In the Search Filter
box, optionally enter LDAP search criteria. Typically, imports will be
based on membership in an LDAP group, so the filter might use the memberOF keyword and look something
like this: memberOf=CN=syyTestGroup,DC=encore,DC=corp,DC=root
See your LDAP server documentation if you need help in this area.
For Search Filter Scope, select One-Level to apply the search to the base level only, or Sub-Tree to apply the search to levels beneath the base level.
In the Limit box, enter the maximum number of items to be returned. We recommend that you use this field to test new queries or modifications to existing queries, so that you do not inadvertently load an excessive number of members.
In the Attribute to Import box, enter the LDAP attribute to be used to populate the group member. The default is CN.
Click the Apply
or Update button to save the configuration.
(After you have saved the configuration once, the Apply button becomes
an Update button.)
Note: After saving an LDAP import
configuration, you can perform the following tasks, each of which is described
in a separate section. Because it is easy to miscode LDAP queries, we
suggest that you test each new or modified query by using the Limit
field (described above) and by running the query once on demand (see below),
to verify that the correct set of members is being returned.
Perform one of the following procedures:
If LDAP Import has not yet been configured, you must perform Configure LDAP User Import, above, before performing this procedure.
If the LDAP User Import panel is not open, select Access Management > LDAP Import.
Click the Modify Schedule button.
For instructions on how to use the general-purpose
task scheduler, see Scheduling.
Once a schedule has been defined, a Pause button appears on the LDAP User
Import panel. If you click that button, the schedule is paused, and the
Pause button is replaced by a Resume button.
When you run LDAP user import on demand, you have the opportunity to accept or reject each of the users returned by the query. This is especially useful for testing purposes. If LDAP Import has not yet been configured, you must perform Configure LDAP User Import, above, before performing this procedure.
If the LDAP User Import panel is not open, select Access Management > LDAP Import.
Click the Run Once Now button. After the task completes, the set of members satisfying your selection criteria will be displayed in the LDAP Query Results panel.
In the LDAP Query Results panel, you can optionally change the Import Mode for this operation only. Changing the selection here will not change the configuration for subsequent operations:
Select Add on to add, but not replace member information.
Select Override to replace existing member information.
Regardless of the selection, no members will be deleted.
Mark the checkbox for each user you want added, and click Import (or click Cancel to return without importing any users). If a selected user has LDAP roles defined, those will be added as well, regardless of the Import Mode selected. You will be notified that the users have been saved.
To view the added users, select Access Management > User Browser to open the User Browser panel. If the Enable Upon Import box was not marked, all users just added will be disabled. To enable a disabled user:
Click the Edit link in the Actions column, to open the User Form panel.
Clear the Disabled checkbox.
Enter a password for the user in both the Password and Password (confirm) boxes.
Click the Update User button.
To verify that LDAP groups have been added as roles, do one of the following:
Open the Security Role Browser (select Access Management > Security Role Browser)
Click the Roles link for any of the new users.