Synchronizing users with LDAP servers

Most large organizations rely on external systems such as LDAP servers to manage user accounts. TrueSight Server Automation lets you synchronize users maintained in specific LDAP groups with users in the RBAC database by mapping one or more LDAP groups to an RBAC role.

You can perform this synchronization using the TrueSight Server Automation console or BLCLI. If you perform the synchronization through the TrueSight Server Automation console, you can synchronize users only with Active Directory because the created users are enabled only for Domain Authentication or ADK Authentication. If you perform the synchronization through the BLCLI, you can synchronize with either Active Directory or LDAP and you can enable users for any authentication type. We recommend using the TrueSight Server Automation console for the initial synchronization and BLCLI for the future synchronizations.

When you synchronize users, they are added to the RBAC user database and assigned to a role. 

Before you begin

This synchronizing task is typically performed by the RBACAdmins role. To perform this task using a role with a minimal set of authorizations, see Minimum-authorizations-for-synchronizing-users.

If you want existing users to participate in synchronization, then for each RBAC User object, check the User participates in directory synchronization option in the User-General-Information tab.  

Performing the initial synchronization from the console

Do the following:

1. Ensure that the LDAP server is configured to support communication via StartTLS. 
    
2. Log in to the TrueSight Server Automation console.
   
   
3. Create an automation principal that represents the credentials required to access the LDAP server.
   For more information about creating an automation principal, see Creating-automation-principals.
   When defining an automation principal, the value you set for Principal ID must be a user's distinguished name for a directory user with read access to the users and groups being synchronized.
   For example, you might enter: CN=BindUser,CN=Users,DC=AD,DC=EXAMPLE,DC=NET
   You must provide a passphrase for the directory user.
   The Domain field should be left blank.
   
   
4. Setup an LDAP connection to use to connect to the LDAP server.
   To set up an LDAP connection, you must have the host name or IP address of the LDAP server and a certificate that can be used to validate the connection to the LDAP server.
   
   
   
   The procedure for setting up an LDAP connection is described in Creating-an-LDAP-connection.
   
   

5. Setup two LDAP queries: one for identifying an LDAP group and another for identifying LDAP users in that group, to synchronize into RBAC. 
   For example, if you want to synchronize users in the group LDAPsyncTestGroup that has a distinguished name of CN=LDAPsyncTestGroup,CN=Users,DC=AD,DC=EXAMPLE,DC=NET:

   1. In the group query you would use a Base Distinguished Name of CN=LDAPsyncTestGroup,CN=Users,DC=AD,DC=EXAMPLE,DC=NET, a Filter of (objectClass=*), and an Attribute of member.
      
      
      
      
   2. In the user query you a Filter of (objectClass=user) or the objectClass that identifies user objects in your directory.  The Attribute in the user query may vary depending on the authentication type you are using and the particular LDAP server type.  If you are using LDAP Authentication, then use an Attribute of distinguishedName.  This will create RBAC User objects like CN=User1,CN=Users,DC=AD,DC=EXAMPLE,DC=NET.
      
      
      
      If you are using Active Directory or Domain Authentication, use an Attribute of userPrincipalName.  This will create RBAC User objects like user1@ad.example.net.
      
      
      
      

   The process for setting up LDAP queries is described in Creating-an-LDAP-query.
   
   

6. Create the RBAC role that should be synchronized with an LDAP group if the role does not already exist. Associate an automation principal, an LDAP connection, an LDAP group, and user query with the role.
   
   
   
   The process of mapping these values to a role is described in Role-Group-Mappings.
7. After setting up the queries, you will get a pop-up that shows how many users will be synchronized.
   
   
   
8. In the RBAC Manager folder, select Roles and then select the role to which you have mapped an LDAP connection and LDAP queries (that is, the role set up in step 6.)
   
   
9. Right-click and select Synchronize.
   
   
   
   The synchronization process begins. Users in the LDAP registry are added to the RBAC database and assigned to this role. Depending on how you have set up the Group Mappings options for the role, any existing users in this role not found in the synchronization can be deleted from RBAC entirely, disabled, or removed from the role.
10. After synchronization, if you open the role and inspect the members, you will see the new users added to the role.
    

Automating synchronizations using the BLCLI

If you plan to synchronize LDAP user information regularly, you can use the syncUsers BLCLI command. Using this BLCLI command, you can also optionally specify the authentication type if you want the synchronized RBAC users to be enabled for an authentication type other than the default Active Directory authentication. 

For example, to syncronize the LDAPSyncUser role and enable LDAP authentication:

Similarly, if you want user names appended with a suffix that differs from that returned by the userPrincipalName attribute, use the syncUsersWithNameSuffix BLCLI command to specify the user name suffix. The user query noted in step 5 above should return a username without any domain suffix.  For example the Attribute used in the user query should be samAccountName instead of userPrincipalName.  

For example, to syncronize the LDAPsyncUsers role and append the domain suffix @ad.example.net:

For more complex synchronizations with Active Directory (for example, if you want to synchronize users in groups that contain members from multiple domains), you can use the syncUsersWithAd BLCLI command.

For example: