How to configure LDAP (On-Prem only)
Users can configure LDAP Authentication through the platform interface. Chronicle SOAR allows you to configure granular permissions using Windows Active Directory and platform permission groups.
Configure LDAP Settings
The first stage is to configure the LDAP settings. Please note that the User you configure below (Admin DN) must have the appropriate permissions to query LDAP accounts. This user can be either an Admin or a User that has permissions to view the users who are allowed to login to Chronicle SOAR. The suggested best practice is to use a service account in the built-in Windows Active Directory Group ‘Account Operators’.
- Navigate to Settings > Advanced > General.
- In the LDAP Configuration area, fill out the following mandatory parameters:
- Host: Active Directory address [AD_server_address]:389 (Note that port 389 is the default port if TLS is not checked. If TLS is checked, then use port 636)
Example: 10.0.0.1:389 - Admin DN: Admin user distinguished name
Example: CN=admin, DC=ldapserver, DC=com - Admin Password: Admin password
- User Base DN: A point from which the server will search for users
Example: DC=ldapserver, DC=com - User Attribute: Attribute for the username
Note that if not specified otherwise the default attribute “sAMAccountName: will be used.
- Host: Active Directory address [AD_server_address]:389 (Note that port 389 is the default port if TLS is not checked. If TLS is checked, then use port 636)
- Optionally, you can fill out the following parameters (or keep the default values):
- Group Attribute: Attribute for the group name
- First Name Attribute
- Last Name Attribute
- Email Attribute
- TLS: Relevant if LDAPS is used
- Trust Certificate: Relevant if LDAPS is used and TLS is checked
- To find the following attributes, run the Powershell command:
Get-ADuser <username>
- Admin DN
- User Base DN
- User Attribute
- Group Attribute
- First Name Attribute
- Email Attribute
- Click Save when done.
Configure User Authentication Groups
The next stage is to configure User Authentication groups for the specific AD group.
- Navigate to Settings > Organization > Permissions.
- Make sure you highlight the required Permission Group on the left (for example: Readers, Admins etc)
- In the Active Directory Groups, make sure to add the name of the AD group that holds your users.
- Don’t forget to click Save.
Test the Configuration
- Log out of the system.
- Make sure the login screen now shows the Login with LDAP checkbox.
- Use your Active Directory email and password to log in.
- Make sure to select the Login with LDAP checkbox.