Add an Active Directory IDMS
The Active Directory IDMS does not store any user passwords. On every user authentication, it will forward a request via LDAP to the Active Directory for verification. If the verification is successful, then the user is logged in. Users and groups memberships from Active Directory will sync every 60 minutes. Kion does not allow editing of any of the attributes of users or groups from Active Directory. You can still associate users that are associated with an Active Directory to standard User Groups in Kion.
There are examples of the User LDAP Filter, Group LDAP Filter, and DN fields below.
To add a new Active Directory IDMS:
- In the left navigation menu, select Users > Identity Management Systems.
- Click Add New.
- In the Select an IDMS type dropdown menu, select Active Directory.
- In the Name field, enter a name to describe the IDMS.
- In the Username field, enter the distinguished name of a user that can bind to LDAP to verify passwords.
- In the Password field, enter the password for the username above.
- In the Hostname field, enter the hostname or the IP address of an LDAP server. You can also enter in more than one hostname or IP by separating the entries by a comma.
- In the Port field, enter the port on which to communicate with an LDAP server. This is typically 389 for LDAP and 636 for LDAPS.
- Check the SSL checkbox if the LDAPS should be used when communicating with the LDAP server.
- In the User LDAP field, enter the LDAP filter that will be used to determine if the user is imported, synced, and allowed access to Kion.
- In the Group LDAP Filter field, enter the LDAP filter that will be used to determine if a group is imported and synced to Kion.
- In the DN field, enter the base DN for all LDAP requests. This should be included in the LDAP filters above.
- You can test the active directory connection with the Test Active Directory Connection button.
- Click Create IDMS.
User LDAP Filter Example
This is an example of a user LDAP filter:
(memberOf=cn=cloudtamer-users,ou=groups,ou=cloudtamer,dc=example,dc=com). Only users that are a member of the cloudtamer-users LDAP group will be imported into Kion.
Group LDAP Filter Example
This is an example of a group LDAP filter:
(memberOf=cn=cloudtamer-groups,ou=groups,ou=cloudtamer,dc=example,dc=com). Only groups that are a member of the cloudtamer-groups LDAP group will be imported into Kion.
This is an example of a DN:
dc=example,dc=com. This is the base DN for all LDAP requests.