How to populate a group from LDAP

How to import data from an LDAP server to use in Guardium® groups.

About this task

Configure Guardium with your LDAP server, and then import on demand, or schedule an import in the future.

When importing LDAP users:

The Guardium admin user account will not be changed in any way.
You have the option to clear existing members from a group before importing.
Existing user passwords will not be changed.
By default, new users are disabled when added, assigned the user role, and have blank passwords.

Note:

Special characters are not supported in user names.

If you are scheduling an import, consider any other scheduled imports you may have at that time, as this will affect the behavior of existing scheduled imports.

Procedure

Configure your LDAP server with your Guardium system. Open the Group Builder by clicking Setup > Group Builder (Legacy), and fill out the required information.

For LDAP Host Name, enter the IP address or host name for the LDAP server to be accessed.
For Port, enter the port number for connecting to the LDAP server.
Select the LDAP server type from the Server Type menu.
Check the Use SSL Connection check box if Guardium is to connect to your LDAP server using an SSL (secure socket layer) connection.
For Base DN, specify the node in the tree at which to begin the search. For example, a company tree might begin like this: DC=encore,DC=corp,DC=root
For Attribute to Import, enter the attribute that will be used to import users (for example: cn). Each attribute has a name and belongs to an objectClass.
Check the Clear existing group members before importing check box if you want to delete all existing group members before importing.
For Log In As and Password, enter the user account information that will connect to the Guardium server.
For Search Filter Scope, select One-Level to apply the search to the base level only, or select Sub-Tree to apply the search to levels beneath the base level.
For Limit, enter the maximum number of items to be returned. We recommend that you use this field to test new queries or modifications to existing queries, so that you do not inadvertently load an excessive number of members.
Optional: For Search Filter, define a base DN, scope, and search filter. Typically, imports will be based on membership in an LDAP group, so you would use the memberOF keyword. For example: memberOf=CN=syyTestGroup,DC=encore,DC=corp,DC=root
Click Apply to save the configuration settings.
The Status indicator in the Configuration - General section will change to LDAP import currently set up for this group as follows and the Modify Schedule and Run Once Now buttons will be enabled. You can now import from your LDAP server.

What to do next

Run or schedule an import.

Schedule an LDAP import by clicking Modify Schedule, filling out the schedule information, then clicking Save.
To run the import on demand, click Run Once Now. After the task completes, the set of members satisfying your selection criteria will be displayed in the LDAP Query Results panel.

Note:

When you import on demand, you have the opportunity to accept or reject each entry returned from the LDAP server.

When you schedule an LDAP import, all of the LDAP entries that satisfy your search criteria will be imported.

Verify that members have been added to a group by selecting the group in the Group Builder, then clicking Modify modify icon , and looking at the group's membership.

For larger groups, it may be easier to verify members by using the Guardium Group Details report (Reports > Guardium Group Details).