Active Directory and LDAP

Create and Edit Directory Credentials

A directory credential is required for querying Active Directory and LDAP, and also for adding Active Directory and LDAP groups and users in BeyondInsight.

  1. Select Configuration.
  2. Under Role Based Access, select Directory Credentials.

Screenshot of Configuration > Role Based Access > Directory Credentials page.

  1. Click Create Directory Credential.

 

Screenshot of the New Directory Credential window.

  1. Select the directory type and provide a name for the credential.
  2. Enter the name of the domain where the directory and user credentials reside.
  3. Enable the SSL option to use a secure connection when accessing the directory.

If Use SSL is enabled, SSL authentication must also be enabled in the BeyondInsight Configuration tool.

  1. Enter the credentials for the account that has permissions to query the directory.
  2. Enable the Use Group Resolution option to use this credential to for resolving groups from the directory.

Only one credential can be set for group resolution per domain or server.

  1. Click Test Credential to ensure the credential can successfully authenticate with the domain or domain controller before saving the credential.
  2. Click Save Credential.

 

Screenshot of Configuration > Role Based Access > Directory Credentials page.

  1. To edit a directory credential, select the credential and edit as desired.
    • If you change the Domain, Use SSL option, or the Username, you must change the password.
    • The Change Password section expands to display fields to enter and confirm the new password.
  2. Click Test Credential to ensure the edited credential can successfully authenticate with the domain or domain controller before saving the credential.
  3. Click Save Credential.

Add an Active Directory Group

Active Directory group members can log in to the management console or a specific domain controller and perform tasks based on the permissions assigned to the group. The group can authenticate against either a domain or domain controller.

Active Directory users must log in to the management console at least once to receive email notifications.

  1. Select Configuration.
  2. Under Role Based Access, select User Management.

 

Screenshot of Create a New Group in BeyondInsight

  1. Under Groups, click Create New Group.
  1. Select Add an Active Directory Group.

 

 

Add an Active Directory Group - Search Active Directory

  1. Select a credential, or click Manage Credentials to add or edit a credential.

 

  1. If the Domain field is not automatically populated, enter the name of a domain or domain controller.
  1. After you enter the domain or domain controller credential information, click Search Active Directory. A list of security groups in the selected domain is displayed.

For performance reasons, a maximum of 250 groups from Active Directory is retrieved. The default filter is an asterisk (*), which is a wildcard filter that returns all groups. Use the group filter to refine the list.

  1. Set a filter on the groups that are to be retrieved, and then click Search Active Directory. Example filters:
    • a* returns all group names that start with a.
    • *d returns all group names that end with d.
    • *sql* returns all groups that contain sql in the name.

    Screenshot of select Active Directory group and Add Group

  1. Select a group, and then click Add Group.
  2.  

  1. The group is added and set to Active but not provisioned or synchronized with Active Directory. Synchronization with Active Directory to retrieve users begins immediately.
  2.  

Screenshot showing newly added Active Directory group synced and users populated.

  1. Once the group has been synced with Active Directory, you can view the users assigned to the group, as well as unassigned users, by selecting Users from the Group Details section and then using the filters.

 

By default, new groups are not assigned any permissions. You must assign permissions on features and smart groups after creating a new group. For more information on permissions and how to assign them, please see Assign Group Permissions.

For more information on creating and editing directory credentials, please see Create and Edit Directory Credentials.

Add an LDAP Directory Group

LDAP group members can log in to the management console or a specific domain controller and perform tasks based on the permissions assigned to the group. The group can authenticate against either a domain or domain controller.

LDAP users must log in to the management console at least once to receive email notifications.

Screenshot of Create a New Group in BeyondInsight

  1. Select Configuration.
  2. Under Role Based Access, select User Management.

 

Screenshot of Create a New Group in BeyondInsight

  1. Under Groups, click Create New Group.
  1. Select Add an LDAP Directory Group from the list.

 

Screenshot of Group Details > LDAP Group Search

  1. Select a credential, or click Manage Credentials to edit a credential or create a new one.

 

  1. Click Fetch to load the list of Domain Controllers, and then select one.
  2. To filter the group search, enter keywords in the group filter or use a wildcard.
  3. Click Search LDAP.

Screenshot of LDAP Group Search results

  1. Select a group, and then click Continue to Add Group.

 

On the LDAP Group Search page, enter Group Membership attribute

  1. Select the Group Membership Attribute and Account Naming Attribute.
  2. Click Add Group.
  1. The group is added and set to Active but not provisioned or synchronized with LDAP. Synchronization with LDAP to retrieve users begins immediately.
  2.  

Screenshot showing newly added Active Directory group synced and users populated.

  1. Once the group has been synced with LDAP, you can view the users assigned to the group, as well as unassigned users, by selecting Users from the Group Details section, and then using the filters.

 

By default, new groups are not assigned any permissions. You must assign permissions on features and smart groups after creating a new group. For more information on permissions and how to assign them, please see Assign Group Permissions.

For more information on creating and editing directory credentials, please see Create and Edit Directory Credentials.