NIST's guidance for a Zero Trust Architecture

Active Directory Fundamentals

Integrating AD with LDAP

Introduction

Active Directory (AD) is a directory service that stores information about objects on the network in a logical and hierarchical manner. Administrators control and manage access to network resources based on the permissions assigned to the AD user role. Lightweight Directory Access Protocol (LDAP) functions as an application protocol in directory services that perform authentication functions. LDAP makes it easier to connect, search, and modify internet directories. It also enables access to an existing directory. 

Prerequisites

  • IP address details or the host name of the LDAP server.
  • Administrator account and credentials of LDAP server.
  • Organization’s Active Directory information.
  • System requirement of a minimum of 2 GB Disk Space and 1 GB Memory.
  • Base distinguished name that needs to be added in the LDAP fields.

How does active directory work with LDAP?

There are two methods of LDAP authentication with respect to accessing the Active Directory:

  • Simple Authentication:In this authentication method, a bind request is created using the user credentials. The same request is forwarded to the server where the authentication is granted or rejected. 
  • SASL (Simple Authentication and Security Layer) Authentication: This framework uses a third-party authentication service as a first step to bind to the LDAP server. Based on that, the authentication request is approved or rejected. This can provide increased security. Since there are multiple authentication methods deployed in this method and each acts as a separate process, the directory remains highly secure.

Process

Follow the below steps to integrate LDAP with Active Directory:

  1. Login to the Active Directory using an administrator account.
  2. Scroll down to LDAP Support section and choose the Server Overview tab.
  3. A popup will now display some fields that need information pertaining to the LDAP account.
  4. Fill in the details of Server and Port in the fields provided beside them. For Server, use the domain name or the IP address, and for Port, use code 389 for unencrypted LDAP connection and 636 for encrypted LDAP connection.
  5. In the Base DN field, enter the complete base details of the AD including the suffix.
  6. Set the Search Scope as per the required level of search. When set to 0, the search gets limited to the base object. When set to 1, the search level gets expanded till the child objects. Setting it as 2 will search the whole subtree including the base object and all its child objects. This is the default search scope.
  7. For the Username Attribute, fill in the object name that needs to be searched in the directory.
  8. Enter the Search Filter with the details of the required string. This string is used for the LDAP search to locate and filter the object in the AD. For example, use (objectclass=user) to filter all entities that have the object class as User.
  9. Click on Verify to ensure that all the applied settings are correct.
  10. The details of the administrator account must be entered.
  11. Select Save to apply the changes.
  12. To enable LDAP authentication for users, go to Admin and select User Management.
  13. All the available users will be listed. Select the user for whom LDAP needs to beenabled.
  14. Click on Advanced and check the LDAP Authentication option.
  15. Click on Save to apply the changes.
Related posts
Active Directory Fundamentals

Managing shared resources

Active Directory Fundamentals

Migrating AD from Windows Server 2003 to Windows Server 2016

Active Directory Fundamentals

Active Directory Groups: An explanation

Active Directory Fundamentals

What is Azure Active Directory?

Leave a Reply

Your email address will not be published. Required fields are marked *