LDAP

InsightCloudSec supports using Lightweight Directory Access Protocol (LDAP) authentication as a valid authentication server. This page includes details on configuring LDAP as an authentication server for InsightCloudSec.

In addition to LDAP authentication where users are created and managed in InsightCloudSec, we also support using LDAP in combination with external tools for user management, where user creation/data can be synced with InsightCloudSec. For details on this feature check out our documentation on Just In-Time User Provisioning (Authentication Server Support).

Prerequisites

Before getting started you will need to have the following

  • A functioning InsightCloudSec platform
  • Appropriate InsightCloudSec permissions (Domain Admin or Org Admin)
  • Administrative credentials to your LDAP instance

For questions or issues reach out to us through the Customer Support Portal.

LDAP Authentication Server Setup

Refer to the steps below to create an LDAP Authentication Server:

  1. Navigate to Administration > Identity Management and select the Authentication Servers tab.
  2. Click the Add Server button to launch the form.
  3. Update the Create Authentication Server form as follows:
    • Provide a nickname for your server.
    • Select LDAP as the Server Type.
    • Select the Global Scope checkbox if you want to use this server across multiple InsightCloudSec Organizations. Learn more about Organizations.
  4. For Server Host/IP, enter the server or hostname for the LDAP instance.
    This is often represented as dc.yourdomain.com. Do not include any protocol or port information here.
  5. For Server Port supply the port for which your LDAP instance is configured.
    • Port ‘389’ is supplied by default as it is the default LDAP port.
    • If your LDAP is configured to use SSL, the default port is ‘636’.
    • If your LDAP instance has been configured to use any other port, supply that value here.
  6. Select the Secure Server checkbox if your LDAP instance has been configured to use SSL.
  7. For Admin Username, enter the Distinguished Name (DN) of a user account with ‘bind’ privileges.
    The DN is usually represented as CN=Your Name,OU=YourOrganization,DC=YourCompanyName,DC=Com.
  8. For Admin Password, enter the password credential of the user account specified in Admin Username
  9. For Base User DN, enter the search string applicable to where user accounts are situated within the directory.
    • Usually, this looks something like CN=Users,DC=YourCompanyName,DC=Com. It is important here to provide the most specific possible search string.
    • A search string of DC=YourCompanyName,DC=Com might work depending on how the directory was configured but will result in inefficient lookups which are taxing to the LDAP instance and could result in timeouts while users attempt to authenticate.
  10. Ignore the checkbox for Enable periodic user provisioning. This checkbox is to enable JIT. You can read more about this feature in the Just In-Time User Provisioning (Authentication Server Support) docs.
  11. Click Submit to complete your authentication server setup.
    • InsightCloudSec will verify that the credentials you submitted are correct and that the account provided has the required ‘bind’ privilege.
    • If an error message appears, verify the values you entered are correct for the LDAP instance in which you are trying to authenticate.