Active Directory/LDAP

Active Directory (LDAP)

This document describes the process of setting up an AD integration that can be used by Actions and data source configuration.

Active Directory Integration setup

1. Go to Settings > Integrations > New Integration.

2. On the left sidebar click IAM/SSO Systems, select Active Directory, and click Next.

3. Enter the Configuration details:

Name - Enter the Name of the Integration Public - Determines whether the integration can be used outside the firewall Description - Enter the description (Optional)

1. Click Next

2. Enter the Authentication details:

Host: Enter the URL of the system to connect to. It may be a resolvable name or an IP address. Port: The port number of the server to which the connection should be established. The default port number for unsecured connection is 389 and for secure 636 Base DN: Specifies the base DN for all searches. Only entries at or below this location in the server (based on the scope) will be considered potential matches. Connection Type: Enter WINRM_INTERNAL Distinguished Name(DN): Enter the User DN (User Distinguished Name) Password: The password of the user (UserDN) for the connection request.

1. Click OK to save the Integration

Active Directory Data Source configuration

1. Go to Settings → Data Sources

2. Click New Data Source in the upper right corner.

3. On the left sidebar click IAM/SSO Systems, select Active Directory, and click Next.

4. Enter the General Details Name - Enter the name to be given to the DataSource Type - Enter the Type i.e. Downstream or Upstream. Integration - Select the Integration created from the dropdown. Functions - User Learning, User Creation.. Etc Schedule - Select the schedule of the DS you want it to run. Public Domain - Enter the public domain. If a data source is marked with a public domain name, any KB ingested from DS will come up as a hint to a related question to the bot. Not application for AD. Description - Enter the description you want to give to the DS.

5. Enter the Configuration parameters

Remote Executor (RE): Select if there is a Remote Executor used. Refer to the following section if RE is used. Event Type : N/A Bypass Test Connection: Disable if you want to bypass the test connection Custom Script - is available but hidden (will be exposed to the UI) if you want to apply a custom javascript to transform the ingested JSON object.

Setup Active Directory Data Source to work via Remote Executor

In the case of an on-prem integration, Aisera uses its Remote Executor architecture that acts as a remote proxy and receives the command to execute over HTTPS and acts on behalf of the Aisera SaaS. In the case of an on-prem AD Connector uses PowerShell commands to interact with AD. The remote executor is installed on a Windows host on the customer’s network.

In this case, the execution path is different from when we have remote access to the machine that hosts the AD. The connector executes a flow that issues the PS commands to the host via RE.

Below are the steps to setup the flow and configure the Data Source.

1. Prerequisites

To use PowerShell you need to import an Active Directory Module that consolidates a group of cmdlets used to manage Active Directory. In the remote host where AD is installed, open an elevate PowerShell and type the following command:

import-module ActiveDirectory

1. Remote Executor flow

Next step is to create a flow that will be used by the Connector to execute PowerShell commands to get Users or Groups.

Here is a sample flow:

Let’s break down the nodes:

1. command JS Node. Define the command that will be executed based on the Content-Type. You can add any filter you want to narrow down the results

2. LocalCommandLineAction that will execute the PS command in the remote host via RE

3. Stringify the JSON response (Optional)

4. Print the results, that will be used by the Connector (Optional)

5. DataSource Configuration:

Data Source configuration to use the flow generated in the previous step

Go to Data Source configuration and configure the following:

Remote Executor: Yes

Aisera App: Select the App from the drop-down that contains the workflow created in the previous step

Workflow: Select the workflow you created in the previous step

Active Directory Actions

The following actions are Active Directory specific:

Most of the actions require Read-only permissions on Users, Groups and Computers objects. The built-in Domain Users group already has bare minimum rights, to read user, group and computer objects from the directory, so a user that belongs to this group will have sufficient rights to execute the following actions.

• Check if User Enabled

• Get all Groups for Active Directory

• Get Computers from Active Directory

• Get Expiring accounts

• Get Expiring passwords

• Get phone number

• Get User information

• Get User status

• List Owners of an AD group

The actions that need write permissions are the following:

• Modify Group for Active Directory

• Reset Password

• Set Phone number for Active Directory

• Update Account Expiration Date

To perform these actions a user or group must be granted the following permissions:

• Reset password

• R/W pdwlastset

• R/W memberOf

• R/W Telephone Number

Active Directory permissions

To grant the required permissions to a user/group you can use the Delegate Wizard:

1. In ADUC (Active Directory Users and Computers), right click on the OU or container (i.e. users) which contains all the users that you want another user/group to be able to modify their attributes. Click "Delegate Control".

2. Add the user to that you would like to grant permission.

3. Choose "Create a custom task to delegate".

4. Choose "Only the following objects in the folder" then "User objects" in the list.

5. Uncheck General. Only check Property-specific.

6. Under Permissions list, check the entries per your requirement.

An alternative way of setting permissions is:

• Open ADUC browse to your domain object

• Right click OU or a container and go to properties

• Security tab, click Advanced (If the Security tab is not visible, in the ADUC Go to View and select Advanced Features)

• Click Add

• Click Select a principal and enter the username (or group) that you want to grant permissions to

• Select Type: Allow

• Select 'Applies to' from the list (i.e. This object only)

• Select one or more permissions that you wish to enable from the list

Troubleshooting

Visit this page for troubleshooting tips.

If you experience connectivity issues to your on-premise Active Directory you can use a third-party tool i.e. LDAP Admin and try to establish a connection.