LDAP Plugin for User Risk Exchange
LDAP Plugin for User Risk Exchange
This document explains how to configure your LDAP server with the User Risk Exchange workflow of the Netskope Cloud Exchange platform. The LDAP plugin can perform operations like add and remove users from a group.
Prerequisites
- A Netskope Cloud Exchange tenant with the User Risk Exchange module already configured.
- Your LDAP Server address, Port, Username, Password, Search Base, and Certificate (only in case of a secured port).
LDAP Plugin Support
Add to group | Yes |
Remove from Group | Yes |
No Action | Yes |
Workflow
- Provide User permissions.
- Get your LDAP path.
- Configure the LDAP plugin.
- Configure a Business Rule.
- Configure Actions.
- Validate the plugin.
Click play to watch a video.
Provide User permissions
The user account from which you are using to configure the LDAP plugin should have these permissions: create, delete, and manage groups.
Follow these steps in order to provide the permissions to a user.
- Open your server manager.
- Select the LDAP Server, right-click and open Active Directory Users and Computers.
- Select the folder in which your user exists. For example, if your user Test LDAP exists in the Users directory, then right-click on that directory, and open Delegate Control.
- Click Next.
- Click Add to create a user for which you want to add permission.
- Enter the object name (username) and click Check Names. If the user is present, it will automatically add the full name here.
- Click OK.
- Click Next.
- You’ll see these options.
- To run the LDAP plugin, select the permission: Create, delete and manage groups.
- Click Next and then click Finish.
Now your user has enough permissions to run the LDAP User Risk Exchange plugin.
Get your LDAP Search Base Path
- Go to your LDAP server.
- Open Server Manager.
- Click Tools and select Active Directory Administrative Center.
- This screen will open.
- Select any of the folders where your groups are stored. For example, my groups are stored in the Users folder, so I’ll use the path of the Users directory as the Search base in the plugin configuration. You can also select a base path, as shown in the above screenshot.
- Click on the top screen: Active Directory Administrative Center > ldapstest(local).
- After clicking it, you’ll see this screen.
- Copy that Path to use it in the plugin configuration.
Configure the LDAP Plugin
You will need these to configure the plugin:
- Server address. The IP address or DNS of the LDAP server, like 10.50.3.193
- Port. The port number of the LDAP server.
- Username is the user through which you can perform action on the user.
- Password of the user.
- Search base. Search Base is the Base path from which the groups needs to be fetched you can get it from the Server backend.
- In Cloud Exchange, go to Settings > General and enable the User Risk Exchange module.
- Go to Settings > Plugins. Search for and select LDAP (URE) to configure the plugin.
- Enter a Configuration Name, and change the Sync Interval as per your requirement, or keep the default.
- Click Next.
- Enter the Configuration Parameters: These are your LDAP Server Address, Port, Username, Password, Search Base, and Certificate (in case of secured port).
- Server Address (IP/DNS)
- Port
- Username
- Password can be get from the server configuration.
- Search Base is the Base path from where the Users and groups can be fetched.
Example: CN=Users,DC=ldapstest,DC=local. Here, DC is the Domain Component, and CN is the Component Name. - A certificate can be from the server administrator.
- Click Next.
- Keep the default range because the LDAP plugin does not support fetching user scores.
- Click Save.
- Now you’ll be able to see the LDAP plugin in Risk Exchange > Plugins.
Configure a User Risk Exchange Business Rule for LDAP
- In User Risk Exchange, go to Business Rules click Create New Rule.
- Add a rule name and query based on your requirement, and then click Save.
Configure User Risk Exchange Actions for LDAP
- In User Risk Exchange, go to Actions and click Add Action Configuration.
- Select your Business Rule and LDAP plugin from the dropdown lists.
- Select the action that you want to perform.
- Add to Group: Whenever action triggers this action add users to the group.
Note: Selecting Yes in the Remove from all Other Groups dropdown while performing the add to group action will remove the user from all existing groups, and add the user to the group mentioned in the action configuration. - Remove from group: This action will remove users from the group.
- No Action: This action does not perform any action on users.
- Add to Group: Whenever action triggers this action add users to the group.
- Select the group name (location) from the Group dropdown list for which you want to add/remove your user.
Tip
You can select multiple groups to add a user using a single action configuration.
- The Group Name textbox is the optional parameter and is only needed if you need to create a new group, thereby selecting the option Create New Group from the group dropdown list.
- Click Save. The configured action will be listed on the Actions page as shown here.
- Wait for the actions to be performed, or click Sync (shown above). Select the time period and then click Fetch and Sync. The actions will be performed on the user after Sync is clicked.
Validate the LDAP Plugin
You can Validate the LDAP plugin workflow in Netskope Cloud Exchange and on the LDAP server.
Validate in Cloud Exchange
Go to Action Logs. Check the logs by checking the Business Rule, Plugin Configuration, and Action type.
Validate on the LDAP Server
- Open Server Manager on your LDAP server.
- Click Tools and open the Active Directory Administrator Center by selecting it in the dropdown list.
- You’ll be able to see the dashboard as shown below.
- Open the Search Base path that you used in the Search Base while configuring the LDAP plugin.
- Here you’ll be able to see the group that you’ve selected to perform actions.
- Click on the group and scroll down to Members.
- Here the proctor1 user is added to the netskope group. If you double click on proctor1, you we’ll be able to see that the proctor1 user is added because the email ID is proctor1@netskope.tech.
Similarly, you’ll be able to verify that remove actions and no action was performed.