AD/LDAP
Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) Configuration
This document contains instructions for configuring AD/LDAP to allow sign-in to RegScale based on authentication provided by the customer's AD/LDAP infrastructure.
Purpose
For many customers, they have a central directory (whether AD or LDAP) that allows users to authenticate to enterprise applications. RegScale provides features that allow these customers to use their existing authentication infrastructure to provide access to RegScale resources. The benefits of this approach include:
- Central authentication infrastructure where users can be centrally managed based on onboarding and offboarding processes (with no orphaned accounts as can occur in forms-based authentication)
- Supports Multi-Factor Authentication (MFA) through external authentication providers
- Provides a central monitoring point for authentication for continuous monitoring
- Integrates with existing security tools for authentication including Adaptive Authentication approaches
Configuration
Each tenant within RegScale must be configured to allow authentication using AD/LDAP. Each tenant can be bound to different AD/LDAP infrastructure or groups to provide least privilege and segregation of data based on need-to-know groups. In order to configure AD/LDAP, do the following:
- Click the username in the top right corner of the application
- Select "Setup" then select "Identity & Access Management (IAM)" on the left menu
- Click the "Manage" button under AD/LDAP
- Click the checkbox to "Enable AD/LDAP" to display the configuration options
Once the checkbox is clicked, configuration becomes available to specify the unique AD/LDAP settings for the customer. These settings include:
- LDAP Server- provide the IP address or URL of the customer AD/LDAP server. NOTE: RegScale must have a viable network path to access this server, or it will fail to connect.
- LDAP Port - usually port 389 unless configured differently within the customer environment
- Use SSL? - check to force all communications to the AD/LDAP server to be encrypted via SSL. NOTE: AD/LDAP server must be configured to support SSL.
- LDAP Bind DN - LDAP Distinguished Name (DN) that RegScale uses to connect (bind) to the AD/LDAP server (i.e.,
cn=AccountName,ou=Service,dc=CompanyName,dc=org
) - LDAP Bind DN Password - for the DN above, the password that allows this account to bind to the AD/LDAP server.
- Search Base DN - Organizational Unit (OU) for searching users (NOTE: It is recommended to create a smaller group just for RegScale users. AD/LDAP is typically configured to only allow syncing for up to 1000 users which can cause problems for large group syncs. See help article.)
- Distinguished Name - distinguished Name of a specific LDAP group that a user must be a member of to log into RegScale (i.e.,
distinguishedName
) - LDAP Filter - filter to apply to the search base DN to limit access (typically to a group), typically used for supporting nested groups (i.e.,
(&(objectCategory=*)(memberOf=cn=myGroupName,ou=Service,dc=CompanyName,dc=org))
) - LDAP Username Attribute - the username attribute for authentication. For AD, it is usually
sAMAccountName
. For Open-LDAP, it is usuallyuid
.
The remaining attributes are user field attributes and should be self-explanatory.
Once finished with configuration, click the "Save" button in the toolbar to complete the configuration.
Syncing Users
Once the AD/LDAP configuration is complete, the next step is to sync the users from the RegScale Login Group so that they will be able to successfully authenticate. Click the "AD Sync" button to have the users sync'd between RegScale and the customer AD/LDAP (NOTE: This sync only includes metadata, and no passwords/secrets/hashes are synced from AD/LDAP). Once you click sync, the following steps will complete:
- RegScale will test the connection to ensure it was successful.
- RegScale will query the user group provided and parse the list of users.
- RegScale will display the list of attributes available in AD/LDAP to assist with mapping properties for the sync
- RegScale will create new users, remove users, and update metadata based on the result of the parsing.
As applicable, the RegScale administrator should re-sync AD/LDAP based on any relevant changes. NOTE: RegScale provides APIs for scripting the sync based on the customer's desired frequency to remove the manual sync step. You can also click the checkbox at the top to auto-enable AD/LDAP syncing every 24 hours.
Removing Users
In the event that a sync was configured improperly, and you wish to undo it, take the following steps:
- Login with the
admin
account - Select the tenant you wish to remove.
- Go to Identity and Access Management, then AD/LDAP "Manage"
- Click the "Remove All" button to remove all AD/LDAP accounts, notes below:
- NOTE: This action is destructive and cannot be undone.
- It will first attempt to delete the user if they don't have any dependent records
- If unable to delete due to a dependency, it will de-activate the user accounts
Testing AD/LDAP Authentication
After completing the sync, logout of RegScale to reset your credentials and complete the AD/LDAP login process:
- Click the "Login" button on the menu bar
- Enter your username (NOTE: this may be cached/remembered based on your browser)
- If the user flagged as an AD/LDAP user, the login type header will change to "LDAP"
- Enter your AD/LDAP user account and password to attempt to authenticate
- Click the Login button to authenticate against AD/LDAP
If the credentials are correct, RegScale should sign you into the application using your AD/LDAP username and password.
Updated about 1 year ago