Import LDAP Device Groups

An efficient method of creating an LDAP device group is to import an LDAP group from a remote LDAP server. To complete an import, you are required to use the built-in capam LDAP Browser, which gets launched during the import procedure.
capam33
An efficient method of creating an LDAP device group is to import an LDAP group from a remote LDAP server. To complete an import, you are required to use the built-in
PAM
 
LDAP Browser
, which gets launched during the import procedure.
This topic explains the following tasks:
2
Only a 
Privileged Access Manager
 administrator has privileges to import an LDAP group. 
Launch the LDAP Browser
Use the LDAP Browser to import an LDAP group.
Follow these steps:
  1. Verify that your appliance is licensed. A license is required to launch the LDAP Browser.
  2. Navigate to 
    Configuration
    ,
    3rd Party, LDAP
    to configure access to an LDAP server.
    Provisioning the LDAP server is necessary to make LDAP groups available for import.
  3. Select 
    Devices
    Manage Device Groups.
  4. Select 
    Import LDAP Groups
    .
    The LDAP Browser launches. You are prompted to select an LDAP domain.
    LDAPBrowser.png
  5. Go to the next procedure to import the LDAP group.
If the LDAP server does not support the cipher suite that is used by the
Privileged Access Manager
LDAP browser, a connection failure occurs. The following error message appears:
“Possible cipher mismatch with LDAP server.”
During provisioning, ensure that the ciphers that are supported on the target LDAP server include those ciphers that are supported by the LDAP browser.
Cipher Suites Supported by the LDAP Browser
The LDAP browser supports newer cipher suites including Diffie-Hellman cipher suites that enable Perfect Forward Secrecy (PFS) and better performance through the elliptical curve. 
  • (Default) When TLSv1.0 and 1.1 are allowed, the following ciphers are available for negotiation with the LDAP/Active Directory server:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • When TLSv1.0 and 1.1 are disabled (only TLSv1.2 is enabled), the following ciphers are available:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
When you change the TLS configuration, the current LDAP browser connections are not affected. The configuration changes take effect after the LDAP browser is launched.
  • When FIPS mode is enabled, the following ciphers are available:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
When TLS 1.0 and 1.1 are disallowed in the 
Privileged Access Manager
 configuration, SHA-1 HMAC is disallowed and only SHA256 is used.
The only Supported Elliptic curves are -secp256r1, secp384r1. These curves are NIST approved. Microsoft Windows can set curve support by group policy to ensure that the Active Directory Server allows
Privileged Access Manager
curves if ECDHE is required.
Import LDAP Groups
In the LDAP Browser, the 
Explore 
tab in the left pane shows a graphical representation of an LDAP tree. Select any object to see the object attributes.
Follow these steps:
  1. Select the LDAP domain and select OK to connect to it.
    The browser connects and displays all records below that domain.
  2. Navigate the LDAP tree in the left pane and locate the device group that you want to import. Traverse the tree in any order or direction.
  3. To import a device group to import, select the checkbox next to the group.
  4. Repeat these steps for each group you want to import. 
  5. (Optional) Review the device groups that are selected for import:
    1. Select 
      PAM Groups
      Manage selected groups to register with the PAM appliance
      The list of the Distinguished Names for all selected groups displays.
    2. Select and edit any group DN, or remove it from the staging list.
  6. Select
    PAM Groups
    ,
    Register selected groups with the PAM appliance
    .
    A window opens displaying a list of the staged groups. You can watch the progress, and can display any messages that are associated with the actions.
  7. When ready to import the groups, select 
    Register Groups
     in the lower-left corner.
    Privileged Access Manager
     imports the groups in the order that they are listed. The browser provides feedback and cancellation options throughout the process.
    You can cancel registration of a group, or you can cancel the registration of all groups, even after they have started.
    When the imports are finished, each line item in the registration window shows a green checkmark for success or a red
    X
    for import failure/cancellation. 
  8. (Optional) Review the status of the full list and each individual group by selecting its line item. If you made any changes, or any errors occurred for an individual group, the lower 
    Messages
     panel provides details
  9. Go to
    Devices
    Manage Device Groups, 
    and
    confirm that the imported groups appear on the page.
You cannot delete a record from an imported device group. Also, you cannot edit an LDAP-imported field.
Refresh LDAP Groups
You can refresh an LDAP Group to update the records in the group.
Follow these steps:
  1. In the UI, select
    Devices, Manage Device Groups.
  2. Toward the right side of the page, select 
    Refresh LDAP Groups
    The LDAP Browser launches the Refresh Registered LDAP Groups window.
    refresh_ldap_window.png
  3. Select one or more groups you want to refresh and select Refresh Selected Groups.
Refresh Active Directory Device Groups After an OU Change
A change to organization unit (OU) of a device results in a change to the device DN. The modified DN can impact an access policy.
PAM
 handles an OU change when the Active Directory group is refreshed automatically.  During a refresh, the appliance searches the remote Active Directory Server and updates its device record. Despite the OU change, the policy for that device is preserved.
To reflect an OU change immediately, you can manually refresh an Active Directory group in
PAM
. To keep the data in sync with Active Directory, refresh all the groups that now include the device
and
all the groups from where the device moved.
Nested LDAP Groups
An LDAP group might be nested within another group as an element in a parent group member attribute. When the parent group is imported, all devices in the parent or the child are imported. For example, consider groups StateA and CityB, where group CityB is a member of (nested in) the group StateA. If you import the StateA group, you see every member of StateA and every member of CityB.
LDAP Browser Menus and Controls
The following table shows LDAP Browser controls.
Menu Item
Function
Copy icon
Copy the Distinguished Name of selected entry to the Clipboard.
Group icon
Display all the groups in this container.
After selecting an object in the tree under the Explore tab, click this button. You then switch to the Results tab, under which you see a fully expanded tree of all groups (objectClass: group) contained within the selected object.
File
Connect
Log in to an LDAP database. Invokes a pop-up window from which you can select from currently accessible domains.
Disconnect
Log out from the current LDAP domain.
Print
Print currently selected node.
Exit
Close browser window.
Note
: The browser continues running while a connection is active. During that time, the browser can be invoked again from the Devices, Manage Device Groups, Import LDAP Group.
View
Viewing options for graphical menu items below the main menu
Show Button Bar
Below the main menu bar, at the left side
Default: On
Show Search Bar
Below the main menu bar, at the right side
Default
:
On
Options
Set LDAP Connection Timeout
Maximum time (seconds) before a connection attempt is canceled. This timeout is useful when multiple servers are specified for a particular LDAP domain.
Default
:
60 seconds
Set Result Set Page Size
Maximum number of records in an LDAP directory before pagination is triggered for representation in the browser tree.
Number of records in each page of a paginated subtree.
Default
:
1000
Bookmark
A bookmark can be made on any leaf in a tree so you can select it later from the menu. Bookmarks are saved for each domain, and appear only when the browser is connected to that domain.
Add Bookmark
Opens an editing window for bookmarking currently selected leaf:
DN – pre-populated with the current Distinguished Name (DN)
Bookmark Name – pre-populated with the current Common Name (CN)
Description
Edit Bookmark
Opens a bookmark selection window. Selection in turn opens a bookmark editing window (see Add Bookmark).
Delete Bookmark
Opens a bookmark selection window. Selection in turn deletes and confirms deletion of the bookmark.
Search
Search Dialog
Opens a detailed search specification window. (Contrast to Quick Search.)
Delete Filter
Opens a window with a list of filters for selection and deletion.
Return Attribute Lists
Paged Results
Next Page of Results
Retrieve next page of results and display page wrapper in the Explore tree (when green; otherwise, gray when inapplicable).
Tools
Stop Action
Suspends an LDAP request. Suspending a request is useful when the page size is large and the browser is searching a large database.
Privileged Access Manager
Groups
Privileged Access Manager
-specific menu items
Manage selected groups to register with the appliance.
Lists all items that are currently selected (or staged) for import to
Privileged Access Manager
.
Register selected groups with the appliance
Perform the input operation on the items that are selected, which are listed in Manage selected groups to register with the
Privileged Access Manager
appliance.
Icons appear in the Button Bar menu when that menu is active (or "on"). By default, the Button Bar is on.