The Directory Provider can be added, with a license key, to Identity Panel Core Framework. The Directory Provider is able to scan objects in LDAP directories such as Active Directory (AD) and AD LDS. Additional capabilities are available when using the Directory Provider with AD and AD LDS.
Before configuring the Directory Provider, validate that your system version is 3.3.8 or newer. You will also need to apply a Directory Panel license key.
Within Identity Panel or Directory Panel, within Provider settings, select Directory Connection from the provider types list. If it says "License Required", you still need to add the license key. Otherwise, press the "New" button to continue.
Give the provider a name and expand it. Short names display better in the Time Traveler. You can rename the provider at any time.
For your connection string, use one of the following forms for LDAP Connection:
- LDAP://
- LDAP://DomainDNS/
- LDAP://Server/
- LDAP://Server:Port/
You may tick the "Is Active Directory" checkbox if the connection is for an AD domain or AD LDS instance. Selecting this option will allow the provider to collect ACLs offered by these directory types.
Enter the partition root as the Container Root.
You may optionally enter user and password information, but you MUST have a password storage license key applied to do this. Your can obtain this from your license key page found here. If user is left blank scans will be run under the login context of the account running the scan (e.g. Panel Service account).
After entering connection settings STOP and save settings.
Run PanelTool, and select the option to run a schema scan for the newly created provider.
After the schema scan completes return to the provider settings and refresh the page. You will now be able to select items from the Containers to include and exclude lists, as well as add object types to scan.
When adding object types select only Structural object classes. For example, add "user" not "person".
After adding an object type select which attributes to collect into Identity Panel.
If configuring for AD you may optionally scan security descriptors. Select the "Scan Access Rules" and "Scan Audit Rules" to collect DACL and SACL data.
You may optionally select "Skip *" checkboxes on the right to omit types of ACE definitions from the scan results.
After adding object types and attributes save changes. You may now run a directory full scan from Panel Tool or add a full scan to your Identity Panel schedule and use Identity Panel to Time Travel changes of tracked objects in your directory.
Example: Moving the OU ChildOU02 into OU ChildOU1
The same setup process can be used to scan the AD configuration partition, see sample configuration below which is focusing on scanning the PKI-related information in the configuration partition.
Schedule
Once the Directory Provider is configured and an initial load scan has been performed with Panel Tools, create a regularly scheduled Directory Full Scan.
The directory scan takes an Environment argument.
Comments
0 comments
Please sign in to leave a comment.