Active Directory / LDAP Integration

Owned by Omry Koschitzky
Last updated: Aug 24, 2023 by Noga Aviram (Unlicensed)

This section describes how to use Active Directory for authenticating users with the LDAP server.

The LDAP settings include:

  • General

    • Initial context factory 

    • Provider URL – the connection URL to the LDAP server (you can use several URLs to multiple LDAP servers separated by a space).

  • Manager Settings (optional)

    • Manager Path – the manager DN for searching users

    • Manager password – the manager’s password

  • Search Settings

    • Root path– the path for starting to search users.

      In case there's a need to search user's information from multiple domains, it is required to enter [ALL DOMAINS] in root path of the LDAP configuration

    • Search filter– how to search the users in the LDAP directory; the {0} is replaced with username.

    • User path – full path of the user DN; the {0} is replaced with username. For example: uid={0},ou=people,cn=xplg

    • Unique id attribute – optional; which attribute of the user will be provided as the unique id of the user.

    • Display name attribute – optional; which attribute of the user will be provided as the display name of the user.

  • Further Settings

    • Group id pattern

    • Groups attribute

To configure Active Directory authentication:

  1. In Provider URL

    • For a non secured connection type the URL to the active directory server – ldap://ACTIVEDIRECTORYSERVER:389/  (for several LDAP servers enter a space separated list of URLs)

    • For a secured connection type the URL to the active directory server – ldaps://ACTIVEDIRECTORYSERVER:636/  (for several LDAPS servers enter a space separated list of URLs)

  2. In Search Filter, type sAMAccountName={0}

  3. In case there's a need in a Manager path to search the Active Directory, enter the full distinguishedName of the user that that will be used to search the active directory (go to the AD explorer, right click the user > properties and copy the user's distinguished path. For example: CN=USER_NAME,CU=Admins,OU=Users,OU=MyBusiness,DC=xpolog,DC=local) and its password.

  4. In User path, type USER_DOMAIN\{0}, where USER_DOMAIN is the domain of your users (for several domains use a semicolon separated list USER_DOMAIN_1\{0};USER_DOMAIN_2\{0};...USER_DOMAIN_N\{0}).

  5. In Unique id attribute, type sAMAccountName.

  6. In Display name attribute,type displayName.

  7. In Groups attribute, type memberOf.

  8. Click save.
    The LDAP configuration is saved. 

Configuration example:

Verification

After you have completed the above steps and saved them. Try to login to XpoLog using the LDAP/AD credentials, if you're logged in successfully then the authentication passed properly.
The next phase is to verify that XpoLog was able to retrieve the Groups of the user from the Active Directory, to verify it go to the XpoLog audit log and look for the phrase. "get the following groups" in it. If you see there a list of groups then you are done and verified that XpoLog is able to authenticate users and retrieve their groups from the Active Directory.

The next phase will be to add relevant groups to XpoLog and assign security policies on them.