Integration with Active Directory

Common

Integration with Active Directory allows you to improve data storage security by linking Windows user accounts to Universe MDM users and managing system access rights.

Integration in Universe MDM is performed by creating LDAP connections in the "Access Directory" section.

Note

The "Access Directory" section is available to work if the user is assigned the role with the Access Directory right

The LDAP protocol is used in the MDM Universe to interact with Active Directory (and other authentication methods).

For integration, an LDAP server is created and connected to Active Directory. Active Directory has its own object structure, which is configured for the required IT infrastructure.

Also, different versions of Active Directory may use different filters. To check the filter settings, use the "Check Connection" button.

The request structure for LDAP can be created by an Active Directory administrator.

If you have difficulties with setting up integration, use the Internet search. Useful links:

Creating LDAP Connection in Universe MDM

To create a connection:

  1. Make sure the "Access Directory" section is open.

  2. Click image1 "Create" at the bottom of the connections list.

  3. Fill in the basic parameters in the "LDAP connection" tab (Figure 1):

    • Server URL. Mandatory.

    • Port. Mandatory. Default values: with ssl certificate - 636, without certificate - 389)

    • Login. Required. Specifies the value of the "distinguishedName" AD attribute (for example, "CN=mdmADTest,CN=Users,DC=achrf,DC=en").

    • Password. When updating, the password is not required if it has not been changed.

    • Use SSL certificate. Enabling this flag implies that a certificate is installed in java on the mdm server.

    • Membership. Attribute name that specifies a list of groups where the user participates. It is filled in based on the AD settings. If the field is empty or incorrectly filled in - the user will not be bound to his groups.

    • Maximum number of users. By default, the number of records in AD is not more than 1000. There is no pagination. If the AD server settings have been changed upwards, the parameter can be edited, but no more than specified in the server settings.

  4. If necessary, click image2 "Test Configuration" to check if the connection is correct.

  5. Forced start of the synchronization operation is available when you press "Synchronize".

  6. Go to the "Security Domains" tab.

  7. Press image3 "Create" in the top right corner of the screen.

  8. Fill in the basic parameters of the domain (Figure 2):

    • Security domain. Mandatory. Security domain name.

    • User search base. Base for the search. For example, if "distinguishedName" looks like "CN=mdmADTest,CN=Users,DC=achrf,DC=en", then you should specify "CN=Users,DC=achrf,DC=en" in this field.

    • User filter. Additional user filter. To find the user with the name "mdmADTest" you must specify the filter (&(objectcategory=user)(CN=mdmADTest)). The filter supports searching by mask. To find users "mdmADTest_1", "mdmADTest_2", "mdmADTest" you should specify the filter (&(objectcategory=user)(CN=mdmADTes*)).

    • Group search base. It is filled in similarly to the "User search base" parameter - but for groups.

    • Group filter. It is filled in similarly to the "User filter" parameter - but for groups. For example, by specifying in the "User filter" field (|(CN=Administrator*)), all groups starting with "Administrator" (Administrators, Role Administrator, etc.) will be available.

  9. Click image4 "Preview" to make sure that the parameters are correct and the necessary groups/users are selected. This will retrieve and display the users and groups according to the filters in the domain settings from the AD server.

  10. To configure the regularity of synchronization - go to the "Schedule" tab.

  11. Click image3 "Create" in the upper right corner of the screen.

  12. In the CRON expression field, set the frequency at which the synchronization will start. When you place the cursor over the image5 icon at the end of the line, you will see a tooltip with possible schedule options.

  13. After making all the necessary changes - press image6 "Save" in the upper right corner of the screen.

"LDAP connection" tab

Figure 1. "LDAP connection" tab

"Security Domains" tab

Figure 2. "Security Domains" tab

Saving Attribute Data from AD

To save AD attribute data to Universe MDM user accounts, you must create additional user parameters.

  • "Name" field - the name of the parameter - should coincide with the value of the AD attribute name.

  • After synchronization the additional parameters will be filled with the values from the AD user attributes.

  • If you change the values of additional parameters through the Universe MDM interface - during the next synchronization they will be overwritten with values from AD.

Authorization via AD

Authorization via AD is performed without applying any additional settings. The user will be uploaded, saved and added to groups that already exist in the Universe MDM system. A login from Windows account is used for authorization.

Synchronization with AD

  1. Active Directory configuration is read from the database.

  2. Groups are loaded for all domains, then saved or updated in Universe MDM. Groups that do not meet the filters are removed from the system.

  3. Next, users are loaded (for all domains), saved or updated in the system. If the user already exists (e.g. was created through an interface), it will not be saved or updated with information from AD.

  4. Users who have access to the security resources: "Roles" and "Users" will be available to report in system Notifications. Only personal roles are monitored - roles from groups are ignored. Detailed report is available by clicking "Details".