Users synchronization

User is one of the fundamental data model entity. Only defined users are allowed to connect to monitored servers. Fudo PAM features automatic users synchronization service which enables importing users information from Active Directory servers or other servers compatible with the LDAP protocol.


New users definitions and changes in existing objects are imported from the directory service periodically every 5 minutes. Deleting a user object from an AD or an LDAP server requires performing the full synchronization to reflect those changes on Fudo PAM. The full synchronization process is triggered automatically once a day at 00:00, or can be triggered manually.

Note

  • Fudo PAM supports nested LDAP groups.
  • Users imported from the catalog service cannot be edited. To edit a user definition imported from an LDAP or an AD server, disable the Synchronize with LDAP option for the given user.
../../_images/user_sync_param.png

Configuring users synchronization service

To enable users synchronization feature, proceed as follows.

  1. Select Settings > LDAP synchronization.
  2. Select Enabled.
  3. In case of cluster configuration, from the Active cluster node drop-down list, select which node will be performing objects synchronization with LDAP service.
  4. Click Add LDAP domain.
  1. Provide domain’s name.
  2. Define priority, determining the order in which domains are queried.

Note

Lower number translates to higher priority.

../../_images/ldap_sync_general.png
  1. In the Directory service section, select data source type from the Server type drop-down list.
  2. Provide the user authentication information to access user data on given server.
  3. Enter domain name, to which imported users are assigned to.
  4. Provide base DN parameter for users’ objects (eg. DC=devel,DC=whl).
  5. Provide base DN for parameter groups’ objects (eg. DC=tech,DC=whl).

Note

DN parameter should not contain any white space characters.

  1. Define filter (or leave the default value) for user records, which are subject to synchronization.
  2. Define filter (or leave the default value) for user groups, which are subject to synchronization.
../../_images/ldap_directory_service.png
  1. Select Block automatically to automatically block local users’ accounts blocked in the directory.
  2. Click i in the LDAP controllers section to define directory service server.
  1. Provide IP address and port number.

Note

In case of TLS-encrypted connection, define LDAP server’s address using its full domain name (e.g. tech.ldap.com) instead of an IP address, to ensure the certificate is verified properly. Make sure that the given server name is included in certificate’s Common Name field.

  1. Select the Page LDAP results option to enable paging.
  2. Select the Encrypted connection option to enable encryption and upload the CA certificate.

Note

Click i to add more directory servers.

../../_images/ldap_controllers.png
  1. Define user information mapping.

Note

Fields mapping enables importing users information from nonstandard attributes, e.g. telephone number defined in an attribute named mobile instead of the standard telephoneNumber.

../../_images/ldap_fields_mapping.png
  1. Click i in the Groups mapping section to define user groups to safes assignment.
  1. Type in user group and select desired entry.
../../_images/ldap_groups.gif
  1. Assign safes to user groups.
  2. Assign external authentication sources to user groups.

Note

External authentication sources are assigned to users in the exact sequence they are defined in groups mapping. Thus if the same user is present in more than one group, Fudo PAM will be authenticating him against external authentication sources starting from those defined in the first group mapping defined.

For example:

A user is assigned to groups A and B. Group B is mapped to Safe RDP and has CERB and Radius authentication sources assigned. Group A is second in order and it is mapped to Safe SSH and has AD authentication source assigned.

../../_images/group_mappings.png

Authenticating a user, Fudo PAM will send requests to external authentication sources in the following order:

  1. CERB.
  2. Radius.
  3. AD.
  1. Click Save.

Note

  • The Force full synchronization option enables processing changes in directory structures which cannot be processed during periodical synchronization, eg. deleting a defined group or deleting a user.
  • The full synchronization process is triggered automatically once a day at 00:00, or can be triggered manually.
  • Use diagnostics tools to troubleshoot problems with LDAP configuration.
  • Fudo PAM supports nested LDAP groups.

Related topics: