Import Users from LDAP

LDAP User Import Overview

You can import Guardium user definitions from an LDAP server by configuring an import operation to obtain the appropriate set of users. You can run the import operation on demand, or schedule it to run on a periodic basis. You can elect to have only new users imported, or you can have existing user definitions replaced. In either case, LDAP groups can be imported as Guardium roles.

When importing LDAP users:

Configure LDAP User Import

  1. Select Access Management > LDAP Import to open the LDAP User Import panel.

  2. In the LDAP Host Name box, enter the IP address or host name for the LDAP server to be accessed.

  3. In the Port box, enter the port number for connecting to the LDAP server.

  4. Select the LDAP server type from the Server Type list.

  5. Mark the Use SSL Connection checkbox if Guardium is to connect to your LDAP server using an SSL (secure socket layer) connection.

    Note
    : Consult with your LDAP administrator regarding the setup within your LDAP infrastructure to determine the connection method used in your environment.  

  6. In the Base DN box, specify the node in the tree at which to begin the search; for example a company tree might begin like this: DC=encore,DC=corp,DC=root

  7. Optionally mark the Enable Upon Import box if you want imported users to be enabled immediately. The default is for users to be added disabled, which means you will have to enable them manually. This is the approach that is generally taken when you have to supply a password for the Guardium user account. On the other hand, if LDAP password authentication is being used, there is no need to manually input a password for the Guardium user definition, so in that case you may prefer to mark this checkbox.

  8. For Import Mode, select Add on to add, but not replace member information, or select Override to replace existing member information. Regardless of the selection, no members will be deleted.

  9. In the Log In As box, enter the user account to use for the connection from the Guardium server.

  10. In the Password box, enter the password for the above user.

  11. In the Search Filter box, optionally enter LDAP search criteria. Typically, imports will be based on membership in an LDAP group, so the filter might use the memberOF keyword and look something like this: memberOf=CN=syyTestGroup,DC=encore,DC=corp,DC=root  
    See your LDAP server documentation if you need help in this area.

  12. For Search Filter Scope, select One-Level to apply the search to the base level only, or Sub-Tree to apply the search to levels beneath the base level.

  13. In the Limit box, enter the maximum number of items to be returned. We recommend that you use this field to test new queries or modifications to existing queries, so that you do not inadvertently load an excessive number of members.

  14. In the Attribute to Import box, enter the LDAP attribute to be used to populate the group member. The default is CN.   

  15. Click the Apply or Update button to save the configuration. (After you have saved the configuration once, the Apply button becomes an Update button.)

    Note
    : After saving an LDAP import configuration, you can perform the following tasks, each of which is described in a separate section. Because it is easy to miscode LDAP queries, we suggest that you test each new or modified query by using the Limit field (described above) and by running the query once on demand (see below), to verify that the correct set of members is being returned.

  16. Perform one of the following procedures:

Schedule LDAP User Import

If LDAP Import has not yet been configured, you must perform Configure LDAP User Import, above, before performing this procedure.

  1. If the LDAP User Import panel is not open, select Access Management > LDAP Import.

  2. Click the Modify Schedule button.

For instructions on how to use the general-purpose task scheduler, see Scheduling.

Once a schedule has been defined, a Pause button appears on the LDAP User Import panel. If you click that button, the schedule is paused, and the Pause button is replaced by a Resume button.

Run LDAP User Import

When you run LDAP user import on demand, you have the opportunity to accept or reject each of the users returned by the query. This is especially useful for testing purposes. If LDAP Import has not yet been configured, you must perform Configure LDAP User Import, above, before performing this procedure.

  1. If the LDAP User Import panel is not open, select Access Management > LDAP Import.

  2. Click the Run Once Now button. After the task completes, the set of members satisfying your selection criteria will be displayed in the LDAP Query Results panel.

  3. In the LDAP Query Results panel, you can optionally change the Import Mode for this operation only. Changing the selection here will not change the configuration for subsequent operations:

  4. Mark the checkbox for each user you want added, and click Import (or click Cancel to return without importing any users). If a selected user has LDAP roles defined, those will be added as well, regardless of the Import Mode selected. You will be notified that the users have been saved.

  5. To view the added users, select Access Management > User Browser to open the User Browser panel. If the Enable Upon Import box was not marked, all users just added will be disabled. To enable a disabled user:

  6. To verify that LDAP groups have been added as roles, do one of the following: