LDAP Admin Sync Configuration

From iDENprotect Knowledge Base
Jump to: navigation, search

If you have not made any configuration changes yet, please see How to make configuration changes

Introduction

idenprotect Core Platform can be used with or without LDAP integration. After the initial installation, LDAP integration is disabled. If LDAP is enabled, idenprotect Core Platform connects idenprotect users' identities to an LDAP directory, such as Microsoft Active Directory.

This article will help you configure the administrative users being synchronized to the idenprotect Core Platform Admin Console. If you are looking to configure the end-users being synchronized, please see LDAP User Sync Configuration

If you do not yet have your connection to LDAP Configured, see LDAP Connection Configuration

If you would like to configure the LDAP synchronization job to store additional details about a user, see LDAP Extra Parameters or LDAP Group Definitions


Configuring the Admin Synchronization job

Admin Sync allows for admin accounts to be created and deleted based on group membership.

This configuration can be found in: -

  • LDAP Admin Sync Configuration under the LDAP section in the idenprotect Core Platform Admin Console Config Tab
  • Server file system in /etc/idenprotect/ldap.properties
Parameters for LDAP
Parameter in Config Tab Parameter in Properties File Description
Admin Sync Enforced? ldap.admin.enforce Delete any internal admin account that no longer has required AD group membership
Admin User Name Field ldap.field.admin.user.name AD attribute to be used as the admin account username
Admin Group ldap.admin.group AD Group that admin users must be a member of
Help Desk Group ldap.helpdesk.group AD Group that help desk users must be a member of
Domain Help Desk Group ldap.domain.helpdesk.group AD Group that domain specific help desk users must be a member of
Read Only Group ldap.readonly.group AD Group that read-only users must be a member of