Integration with User Directories
This page describes how to set up Axidian Privilege integration with Active Directory, FreeIPA, OpenLDAP and ALD Pro user directories.
To change the user catalog reading parameters, you need to edit the UserCatalog section in the Core and Idp configuration files.
Path to the Core configuration file:
| Windows | C:\inetpub\wwwroot\core\appsettings.json |
| Linux | /etc/axidian/axidian-pam/core/appsettings.json |
Path to the IdP configuration file:
| Windows | C:\inetpub\wwwroot\idp\appsettings.json |
| Linux | /etc/axidian/axidian-pam/idp/appsettings.json |
Setting up Integration with Active Directory
The configuration files initially contain settings for integration with Active Directory, no additional changes are required.
Setting Up a Search for Users Belonging to a Security Group
To set up a search for users belonging to a specified security group you need to configure the CatalogFilter parameter.
Example of setting the parameter for one security group
"CatalogFilter": "memberOf=cn=Admins,CN=Builtin,DC=vdd,DC=com"
Example of setting the parameter for multiple security groups
"CatalogFilter": "(|(memberOf=cn=Admins,CN=Builtin,DC=vdd,DC=com) (memberOf=cn=PrivelledgeAccounts,OU=Groups,DC=vdd,DC=com) (memberOf=cn=Admins1,OU=PAMUsers,DC=vdd,DC=com))"
The ContainerPath parameter must also be filled in, because only those users who are members of the OU that you specified in the value of the CatalogFilter parameter will be read.
Example of a UserCatalog section with security group filled in
"UserCatalog": {
"RootProvider": "ad1",
"Providers": {
"Ldap": [
{
"Id": "ad1",
"ConnectorType": "Ldap",
"LdapServerType": "ActiveDirectory",
"Domain": "axidian.test",
"Port": 636,
"AuthType": "Basic",
"SecureSocketLayer": true,
"ContainerPath": "OU=UsersPAM,DC=axidian,DC=test",
"CatalogFilter": "memberOf=cn=SecurityGroup,OU=PAMUsers,DC=axidian,DC=test",
"UserName": "IPAMADReadOps@axidian.test",
"Password": "qwe123",
"UserMapRules": {
"Settings": [
{
"Category": "person",
"Class": "user"
}
]
}
}
]
}
}
For more information on configuring the CatalogFilter parameter, see the Microsoft documentation.
Setting Up Integration with FreeIpa or AldPro
To set up an integration with the FreeIPA or AldPro user directory, users of the directory must have the following attributes:
entryUUIDoripaUniqueIDcnentryDnipaNTSecurityIdentifierkrbPrincipalNameuid
Example of the UserCatalog section for FreeIPA or AldPro user directory
{
"Id": "ad",
"ConnectorType": "Ldap",
"LdapServerType": "FreeIpa", // Replace with AldPro when setting to AldPro
"Domain": "ald.sup", // Name of the domain or specific controller
"Port": 389, // 389 for connecting via LDAP, 636 for connecting via LDAPS
"AuthType": "Basic",
"SecureSocketLayer": false,// false for connecting via LDAP, true for connecting via LDAPS
"ContainerPath": "dc=ald,dc=sup",
"UserName": "uid=pamread,cn=users,cn=accounts,dc=ald,dc=sup", // Domain access credentials. Must be in distiguishedName format, the account must have read permissions for the required attributes
"Password": "Q1w2e3r4", // Account password to access the domain
"GroupMapRules": {
"Settings": [
{
"Category": "",
"Class": "ipantgroupattrs"
}
],
"Attributes": {
"Id": "ipaUniqueID",
"Name": "cn",
"SamAccountName": "cn",
"CanonicalName": "cn",
"DistinguishedName": "entryDn",
"SidBytes": "ipaNTSecurityIdentifier"
}
},
"UserMapRules": {
"Settings": [
{
"Category": "",
"Class": "person"
}
],
"Attributes": {
"Id": "ipaUniqueID",
"Name": "cn",
"PrincipalName": "krbPrincipalName",
"SamAccountName": "uid",
"DistinguishedName": "entryDn",
"SidBytes": "ipaNTSecurityIdentifier",
"ThumbnailPhoto": "jpegPhoto",
"JpegPhoto": "jpegPhoto"
}
}
}
If directory users have an entryUUID attribute and have no ipaUniqueID attribute, then in the GroupMapRules and UserMapRules sections in the Attributes section, you need to remove the "Id": "ipaUniqueID" parameter.
Setting Up Integration with OpenLDAP
To set up an integration with the OpenLDAP user directory, users of the directory must have the following attributes:
cnentryDnuid
Example of the UserCatalog section for OpenLDAP user directory
{
"Id": "oldap",
"ConnectorType": "Ldap",
"LdapServerType": "OpenLdap",
"Domain": "oldap.local", // Name of the domain or specific controller
"Port": 389, // 389 for connecting via LDAP, 636 for connecting via LDAPS
"AuthType": "Basic",
"SecureSocketLayer": false, // false for connecting via LDAP, true for connecting via LDAPS
"ContainerPath": "DC=oldap,DC=local",
"UserName": "cn=IPAMADReadOps,dc=oldap,dc=local", // Domain access credentials. Must be in distiguishedName format, the account must have read permissions for the required attributes
"Password": "QWEqwe123", // Account password to access the domain
"GroupMapRules": {
"Settings": [
{
"Category": "",
"Class": "groupOfUniqueNames"
}
],
"Attributes": {
"Name": "cn",
"SamAccountName": "cn",
"CanonicalName": "cn",
"DistinguishedName": "entryDn",
"Members": "uniqueMember"
}
},
"UserMapRules": {
"Settings": [
{
"Category": "",
"Class": "inetOrgPerson"
}
],
"Attributes": {
"Name": "cn",
"SamAccountName": "uid",
"DistinguishedName": "entryDn",
"ThumbnailPhoto": "photo",
"JpegPhoto": "photo"
}
}
}
Setting Up an Integration with Multiple User Directories
To set up an integration with multiple user directories, please follow these steps:
- Change the
RootProviderparameter value to "orUCP". - In the
Ldapsection, list the user directories with which integration is required, separated by commas. Provider IDs must not match. The IDs of the providers that PAM previously worked with should not change. - Add the
Orsection from the example below, in which write the Ids of the providers sections.
Example of the UserCatalog section for multiple user directories
"UserCatalog": {
"RootProvider": "orUCP",
"Providers": {
"Ldap": [
{
"Id": "ad",
"ConnectorType": "Ldap",
"LdapServerType": "ActiveDirectory",
"Domain": "axidian.test",
"Port": 636,
"AuthType": "Basic",
"SecureSocketLayer": true,
"ContainerPath": "OU=UsersPAM,DC=axidian,DC=test",
"UserName": "IPAMADReadOps@axidian.test",
"Password": "qwe123",
"UserMapRules": {
"Settings": [
{
"Category": "person",
"Class": "user"
}
]
}
},
{
"Id": "ad2",
"ConnectorType": "Ldap",
"LdapServerType": "ActiveDirectory",
"Domain": "axidian.test",
"Port": 636,
"AuthType": "Basic",
"SecureSocketLayer": true,
"ContainerPath": "OU=UsersPAM,DC=axidian,DC=test",
"UserName": "IPAMADReadOps@axidian.test",
"Password": "qwe123",
"UserMapRules": {
"Settings": [
{
"Category": "person",
"Class": "user"
}
]
}
},
{
"Id": "ipa",
"ConnectorType": "Ldap",
"LdapServerType": "FreeIpa",
"Domain": "ipa.redos",
"Port": 389,
"AuthType": "Basic",
"SecureSocketLayer": false,
"ContainerPath": "DC=ipa,DC=redos",
"UserName": "uid=IPAMADReadOps,cn=users,cn=accounts,dc=ipa,dc=redos",
"Password": "qwe123",
"GroupMapRules": {
"Settings": [
{
"Category": "",
"Class": "ipantgroupattrs"
}
],
"Attributes": {
"Name": "cn",
"SamAccountName": "cn",
"CanonicalName": "cn",
"DistinguishedName": "entryDn",
"SidBytes": "ipaNTSecurityIdentifier"
}
},
"UserMapRules": {
"Settings": [
{
"Category": "",
"Class": "person"
}
],
"Attributes": {
"Name": "cn",
"PrincipalName": "krbPrincipalName",
"SamAccountName": "uid",
"DistinguishedName": "entryDn",
"SidBytes": "ipaNTSecurityIdentifier",
"ThumbnailPhoto": "jpegPhoto",
"JpegPhoto": "jpegPhoto"
}
}
}
],
"Or": [
{
"Id": "orUCP",
"Providers": {
"ad": {"IgnoreExceptions": true},
"ad2": {"IgnoreExceptions": true},
"ipa": {"IgnoreExceptions": true}
}
}
]
}
}