Configuring BMC Defender LDAP Tool Kit

 After you install the BMC Defender system, you can configure and use the software in a variety of ways. Several parameters establish communications with the LDAP server, such as:

  • You should enable the GenLDAP program to run at some scheduled interval, such as hourly, daily or weekly. This is the single required setting change, necessary to start downloading and using LDAP or Active Directory data at periodic intervals.
  • You can enable or disable settings in the User Discovery section of the browser, to limit discovered users to those contained in the LDAP or Active Directory listing. This feature cleans up the list of managed users, ensuring that a user name in BMC Defender has a corresponding active directory element.
  •  An administrator can delete users who are not defined in the LDAP or Active Directory listing (possibly due to misconfigured discovery patterns, or due to local logons from the system). This feature allows the BMC Defender Administrator  to quickly remove users that are not appropriate for the management activities.

Configuration of the system is not difficult, and several features are provided to check user input and perform tests. This section discusses the various parameters and steps necessary to configure a general purpose LDAP interface to BMC Defender.

Related topics

BMC-Defender-LDAP-Tool-Kit

Using-BMC-Defender-LDAP-Tool-Kit

LDAP system parameters screen

As part of the Windows installation, a new tab is created in the System > Auto-Update section of the BMC Defender web interface, that permits you to configure various parameters associated with the LDAP background program. This screen is available only to the BMC Defender Server administrator and serves as a starting point for configuring the LDAP interface. The LDAP parameter screen looks like:

 image2019-3-28_11-44-4.png

This screen allows the administrator to enable the GenLDAP program (that causes LDAP data to download automatically) as well as allows the administrator to schedule the program to run hourly, daily, weekly, or some other schedule defined in the System > Schedule screen. Also, this screen allows the administrator to view various aspects of the LDAP data, or generate an LDAP listing on demand via the Download option.

Generate and Download button

Either wait for the scheduled time or click the Download (or Run Report) button at the top of the screen to launch the GenLDAP.exe program as a background process on the system.

The GenLDAP.exe program gathers the LDAP data and formats the result into a file used by BMC Defender. The data acquisition process might take several minutes or longer to complete, depending upon the number of LDAP data entries, the number of configured LDAP servers, and other factors. The process executes as a background process, and you can leave the screen and return at a later time to check on the progress or the success of the operation.

Scheduling LDAP queries

The Generate button permits the operator to regenerate the LDAP LDIF file on demand. However, it is usually desirable to execute these queries on a scheduled basis, such as once each day or each week. The LDAP screen provides controls to allow the operator to edit the scheduled execution by configuring the System > Schedule screen to launch the GenLDAP.exe program at periodic intervals.

Include UPN records

The LDAP parameters screen normally looks for sAMAccountName records to identify users. Additionally, you can set the Include UPN Records value to be Yes, to look for both sAMAccountName and UserPrincipleName records in the LDAP data.

This is useful for those sites that require the UserPrincipleName (UPN) for authentication and tracking user activity.

The Include UPN Records is set to No by default. Setting the Include UPN Records setting to Yes affects several parts of the program as follows:

  • The list of active directory users (such as in the Messages > Catalogs > Users tab) includes both sAMAccountName and UserPrincipleName values (if the values are different).
  • When accessing the User Info screen (by clicking on the hyperlinked user name anywhere it appears in BMC Defender) the sAMAccountName and UserPrincipleName values are displayed if they are defined for the operant user. This permits the operator to view the different identities associated with a particular user easily.
  • If user discovery requires an LDAP match then if a message matches either the sAMAccountName or UserPrincipleName fields, you are discovered and added to the system. (See Limiting-user-discovery-to-LDAP-users.)
  • If the operator has implemented the MemberOf list macro, as discussed in the next section, then both the sAMAccountName and UserPrincipleName values are associated with the list macro generated by this facility.

Note

The UserPrincipleName value never includes the portion of the name trailing the @ character. This makes the user name consistent with BMC Defender naming conventions, but might cause problems for users with the same name spanning different domains (because the @dom value is omitted).

Edit MemberOf list macro update rules

The LDAP parameters screen includes a special Edit MemberOf button, that allows the administrator to configure up to eight different match patterns that can automatically create group membership lists. This allows the system to automatically create, maintain, and update lists of users that share a similar LDAP group membership.

When the LDAP information downloads it is automatically parsed to create a list of users that belong to the specified group(s). Any existing lists replace with the new information. 

These lists appear on the Correlation > Config > Lists screen, and are identical to other lists that come with the system, except the lists reflect LDAP user names that belong to a particular set of Active Directory groups. 

One application of this function would be to automatically create a list of administrators that belong to the Administrator group, so that this list is using in reports, correlation rules, and alerts.

Edit user info settings

As a special function, the administrator can configure the system to update User Information screens directly with Active Directory information automatically. You click on the Edit User Info Update settings button at the bottom of the screen to view or adjust these settings. No changes are usually necessary to this screen. (The screen mainly exists to extend this facility to non Active Directory LDAP installations.) 

Your information appears when the operator clicks on any user name in BMC Defender Server. The default action of this facility is to Merge user information with the existing information, that is to assign a full name (and other information) to users that do not have an existing name assigned to them. The full name then appears on the Messages > Catalogs >User screen (and appears in other locations).

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*