Importing Users from LDAP
(This procedure is applicable from build 6310)

LDAP (Lightweight Directory Access Protocol) is a widely used standard protocol for accessing and managing directory services that provide a standardized approach to storing and retrieving information about users, devices, and other network resources. In PAM360, you can now integrate your organization's LDAP servers and import users of your organization. Post importation, you can manage their privilege to the respective resources available in the organization.

Similar to importing users from a file, AD, and Microsoft Entra ID, you can also import users from LDAP directory. Read further to know how.

Following are the detailed steps to configure LDAP server in PAM360 and import users into PAM360:

  1. Configuring LDAP Server in PAM360
  2. Importing Users from LDAP Server
    2.1 Importing Users from Groups/Organizational Units
    2.2 Importing Users using Search Filter
    2.3 Configuring User Synchronization between LDAP Server and PAM360
  3. Specifying Appropriate User Roles
  4. Enabling LDAP Authentication
  5. Managing LDAP Servers, Organizational Units, and Groups in PAM360

1. Configuring LDAP Server in PAM360

The first step is to provide the required server credential details in PAM360 to configure LDAP Server in PAM360. To do so, navigate to Admin >> Authentication >> LDAP and perform the steps that follow:

  1. Click the LDAP Server Details button from the LDAP Server Configuration page to add your LDAP server in PAM360. Alternatively, you can also access this page from Users >> Add User >> Import from LDAP.
  2. In the window that opens, click Add button or Add New Domain icon.
  3. In the new window that opens, fill in the details as follows:
    1. Enter the URL of the LDAP provider. For example., ldap pamwinsec23 389.
    2. You can configure the connection between LDAP Server and PAM360 to be over an encrypted channel (SSL) or Non-SSL. If you choose SSL mode as the connection mode, proceed with the following steps, else proceed with the next subsequent steps.
      1. To enable the SSL mode, the LDAP server should be serving over SSL in port 636, and you will have to import the LDAP server's root certificate, LDAP server's certificate, and all other certificates that are present in the respective root certificate chain into the PAM360's server machine's certificate store.
      2. To import certificates, open a command prompt and navigate to <PAM360_SERVER_HOME>\bin directory and execute the following command:
        For Windows:
        importCert.bat <Absolute Path of certificate>
        For Linux:
        importCert.sh <Absolute Path of certificate>
    3. Restart the PAM360 server and continue with the following steps.
    4. In the supply credentials, select Specify Username and Password manually or Use an account stored in PAM360. If you have selected Use an account stored in PAM360, select the respective LDAP Resource Name and the Account Name from PAM360.
    5. If you have selected Specify Username and Password manually, enter the credentials of any one of the users already present in LDAP for authentication. It should be in the format of how the user would have submitted their username when authenticating to your application. For example, a typical entry would look something like cn=eric,cn=users,dc=manageengine,dc=com
    6. Enter the Password of the given user.
    7. Enter the BaseDN information. This is the 'base' or 'root' from where directory lookups should take place. Enter the LDAP base (top level of the LDAP directory tree). Enter it exactly in the format used in your LDAP. No spaces are allowed between the commas or the '=' equal symbol and entries that are case-sensitive. For example.,dc=manageengine,dc=com.
    8. Select your LDAP Server Type from the options that follow:
      • Microsoft Active Directory
      • Novell eDirectory
      • OpenLDAP
      • Others
    9. If your LDAP server belongs to the type Microsoft Active Directory/Novell eDirectory/OpenLDAP, click Test.
    10. Upon successful test validation, click Save.
    11. If your LDAP server belongs to types other than Microsoft Active Directory/Novell eDirectory/OpenLDAP, specify the following additional details to authenticate the users:
      1. Enter the user login attribute in your LDAP structure in the text field for 'Login Attribute Label'. For instance, for LDAP making use of AD, the entry would be 'sAMAccountName' and for OpenLDAP, the entry would be 'uid'. If you are using any other LDAP, make this entry in accordance with your LDAP structure.
      2. Enter the e-mail attribute for the users in your LDAP structure in the text field for 'Mail Attribute'. For instance, for LDAP making use of AD, the entry would be 'mail'. If you are using any other LDAP, make this entry in accordance with your LDAP structure.
      3. Enter the distinguished name attribute - that is the LDAP attribute that uniquely defines this object. For instance, for LDAP making use of AD, the entry would be 'distinguishedName' and for OpenLDAP, the entry would be 'dn'. If you are using any other LDAP, make this entry in accordance with your LDAP structure.
      4. Enter the remaining attributes accordingly and Save the LDAP server configuration.

2. Importing Users from LDAP Server

Note: The role, language, and TFA fields are applicable only from PAM360 build 6700 and above.

You can import users from LDAP into PAM360 using Groups, Organizational Units (OUs), and Search Filters.

2.1 Importing Users from Groups/Organizational Units

  1. Navigate to the releavnt domain in the LDAP Server Details page and click Import >> Groups/Organizational Units.
  2. In the pop-up window that opens, locate the required groups/organizational units by using the Search option or the View all Groups/Organizational Units option.
  3. Select the required groups/organizational units from the available list by ticking the checkboxes beside them.
  4. After selecting the required groups/organizational units, assign user role, set user language, and configure TFA .
    1. Users imported from the LDAP server will be automatically assigned the default role. To change this, select the desired role from the Role dropdown field. The selected role will be applied to all users imported from the selected user group(s)/OU(s) in LDAP.
    2. Choose the desired language from the Language dropdown field for the users to be imported into PAM360.
    3. By default, Two-factor Authentication (TFA) is enabled for the users imported from the LDAP server. To disable TFA, toggle off the switch button beside the Two-Factor Authentication field.
  5. Click 'Save' to import users with the applied settings.

    6. Note: To create a dedicated user group in PAM360 with users from the selected Organizational Units (OUs), tick the Create a user group in PAM360 with users from the selected Organizational Units option before clicking Save.

  6. The imported groups and organizational units will appear in the respective domain window on the LDAP Server Details page.

2.2 Importing Users using Search Filters

Follow these steps to import users from LDAP into PAM360 using search filters:

  1. Navigate to the relevant domain on the LDAP Server Details page and click Import >> Using Search Filter.
  2. In the pop-up that opens, enter the following information:
    1. Search Filter: Enter the criteria to locate the desired users within the LDAP server to be imported into PAM360
    2. Group Name: Specify a group name to create a dedicated user group in PAM360 with the selected users.
    3. Organizational Unit: Input the OU name to restrict the search within a specific organizational unit.

      Note: If you specify an Organizational Unit (OU) in the designated field, the filter criteria will exclusively search within that specified OU, not throughout the entire baseDN. However, if no OU is provided, the filter criteria will extend to the entire baseDN.

    4. Select a user role and language from the Role and Language drop-down menus respectively, and toggle the switch beside each user to enable or disable Two-Factor Authentication.
  3. Click Import & Save to import users from LDAP into PAM360. This action will also create a schedule on the LDAP Server Details page.

Upon clicking the Import & Save button, PAM360 will promptly start importing all the users from the configured LDAP settings. In future imports, only new user entries in LDAP will be added to PAM360. Moreover, each new user will receive an email notification containing their account details and a password for accessing PAM360 when LDAP authentication is disabled.

2.3 Configuring Synchronization between LDAP Server and PAM360

PAM360 supports automatic synchronization of users whenever new entries are added to the LDAP server. You can configure this feature either individually or in bulk on the LDAP Server Details page.

  1. To synchronize the users from LDAP to PAM360, click on the Sync Schedule icon beside the desired LDAP configuration that corresponds to a Group, Organizational Unit, or Search Filter.
  2. In the pop-up that opens, specify the time interval at which PAM360 should query the LDAP server to keep the user details in sync. The interval can range from minutes to hours or days.
  3. Click Schedule to save the synchronization configuration.
  4. To schedule synchronization in bulk,
    1. Select the desired LDAP configurations that correspond to groups, organizational units, or search filters, and click the Sync Schedule button in the top pane.
    2. In the pop-up that opens, specify the time interval at which PAM360 should query the LDAP server to keep the user details in sync and click Save. The interval can range from minutes to hours or days.

3. Specifying Appropriate User Roles

After import, all the users imported from LDAP will be assigned the default user role. To delegate roles more effectively, in the Change Roles for Users dialogue box that opens, individually assign the respective user role using the Change Role button beside the desired user in the Actions column.

You can also assign specific roles to individual users imported from LDAP at any time by following these steps:

  1. Navigate to Admin >> Authentication >> LDAP and click Assign Roles Now.
  2. In the Change Roles for Users window, all the users imported from LDAP will be listed.
    1. Click the Change Role button beside the users for whom you wish to change the role.
    2. Choose an appropriate role from the drop-down menu.
  3. To change user roles in bulk, select the users using the checkboxes, click the Change Role button at the top, and choose an appropriate role from the drop-down menu. The changes will be saved as and when the roles are assigned

4. Enabling LDAP Authentication

The final step is to enable LDAP authentication, allowing users to log into PAM360 using their LDAP directory password. Follow these steps to enable LDAP Authentication in PAM360:

  1. Navigate to Admin >> Authentication >> LDAP.
  2. On the LDAP Server Configuration page, Click the Enable Now button to enable LDAP Authentication.

Notes:

  1. The LDAP authentication will only work for users already imported from LDAP into PAM360.
  2. Ensure you have at least one user with the Administrator role among those imported from LDAP.

5. Managing LDAP Servers, Organizational Units, and Groups in PAM360

(This procedure is applicable from build 7000)

Navigate to Admin >> Authentication >> LDAP >> LDAP Server Details. In the window that opens,

  1. Click the kebab menu icon beside the respective LDAP server to delete the existing one or edit entries pertaining to the LDAP server.
  2. Click the Edit/Delete icon beside the respective Organizational Unit, Group, or Search Filter to delete the imported LDAP configurations. In addition, you can also perform this operation in bulk by selecting the respective Organizational Units, Groups, or Search Filter and clicking on the Edit Schedules/Delete button at the top pane.

    Note: The deletion of Groups, Organizational Units, and Search Filters will exclusively remove their respective entries from the PAM360 database and will not impact any data within the LDAP server.
Top