LDAP Sync Registration¶
Note
This registration form covers the cross-domain identity management with Windows AD using LDAP
Sequel Security Services offers the possibility of syncing users and permissions from Windows AD using LDAP. This document tries to identify all the basic information for configuring the connectivity between the LDAP Sync service and Windows AD.
Configuration of matching rules between Windows groups and Sequel Memberships are out of the scope of this document.
Connection settings¶
Basic information¶
Sequel LDAP Sync service must be installed and requires access to Windows AD and also to Security API. The LDAP connectivity requires below information that must be provided by the IT admin of the Windows AD:
| Parameter | Type | Description |
|---|---|---|
| Host | string | A host name or a dotted string representing the IP address of a host running an LDAP server. It may also contain a list of host names, space-delimited. Each host name can include a trailing colon and port number |
| Port | integer | The TCP or UDP port number to connect to or contact. The default LDAP port is 389 and LDAPS is 636 (enabled if SecureConnection is true). The port parameter is ignored for any host name which includes a colon and port number. |
| SecureConnection | boolean | If the value is true, then uses TLS for the connection to LDAP (LDAPS). By default, is set to false. |
| DN | string | If non-null and non-empty, specifies that the connection and all operations through it should be authenticated with DN as the distinguished name. We highly recommend to use a service account or user with only read permissions on Windows AD. |
| Password | string | If non-null and non-empty, specifies that the connection and all operations through it should be authenticated with DN as the distinguished name and this argument as password. |
Ports¶
In terms of connectivity, we will potentially need access to below ports: 389, 636, 3268. Depending if AD is configured with LDAPS or not and if the catalog is part of a global catalog.
Port 3268. This port is used for queries specifically targeted for the global catalog. LDAP requests sent to port 3268 can be used to search for objects in the entire forest. However, only the attributes marked for replication to the global catalog can be returned. For example, a user’s department could not be returned using port 3268 since this attribute is not replicated to the global catalog. Normally, the most typical port to be used.
Port 636. Port for LDAPS.
Port 389. Although some background services may require access to this port for the LDAP sync process, we cannot explicitly use this port as it doesn't support the type of queries we are using.
Query settings¶
The users target of the sync are defined as those users that belongs to an specific Windows group. For performing those queries, it is required to provide below information:
| Property | Type | Description |
|---|---|---|
| Domain | string | Defines the domain assigned to the sync'd users. This domain will be stored in the user record. This setting is quite important as the user will be authenticated using {domain}{ssoUserName}. |
| SearchBaseQuery | string | The base distinguished name to search from. Empty by default. The SearchBaseQuery indicates a base domain to be used in the queries. This value must be set if request are done against the global catalog. The value should contain DC entries: if your base domain is office.local, the SearchBaseQuery should be DC=office,DC=local. |
| GroupQueries | List of GroupQuery. | List of LDAP queries to retrieve the DN groups involved in the sync process. The Vanilla configuration contains a single entry with below LDAP query (&(cn=Sequel Application Users)). So, by default all users assigned to the group Sequel Application Users will be sync'd. If there are no groups queries, the process will be cancelled. |
| PageSize | int | Queries executed are paged using this setting as the page size. Default value is 1000. This value should be lower or equal than the maximum number of objects returned by a single query in the AD server. |
Inheritance of Windows groups is not supported.
Registering information for Sequel¶
Please provide below information back to Sequel in order to configure the application:
| Description | Value | |
|---|---|---|
| Host | Host name of AD | |
| LDAP/LDAPS | True/False. Confirm standard ports | |
| DN | Service account with read-only permissions | |
| Password | Service account password | |
| Domain | ie. sbs | |
| SearchBaseQuery | ie. DC=office,DC=local |
|
| GroupQueries or GroupName | Identify Windows Group where all user member will be synced | |
| PageSize | This value must match with AD server settings. Default 1000 |