14.4 LDAP Group Lookup

The LDAP Group lookup feature retrieves LDAP group membership information for a user whose details are stored in external LDAP directories, such as NetIQ eDirectory, OpenLDAP, or Microsoft Active Directory. The information fetched can be used to perform external group matching in the rules.

14.4.1 Creating the LDAP Account in the Credential Vault

For creating LDAP account in the vault, click Credential Vault > LDAP / Active Directory > Vault Nameclick the + icon next to Resources and provide the required information. For more information about the resource fields, see Contextual Help.

14.4.2 Defining the User Group

After creating an LDAP account, define a group to refer to the external LDAP group. For information on creating a user group, see Adding a User Group.

To configure an existing user group, perform the following:

  1. On the home page of the console, click Command Control.

  2. In the navigation pane, click the Account Groups icon, then click User Groups.

  3. In the details pane, select the user group that you want to modify, then click the edit icon next to the user group name.

  4. Configure the following fields:

    Name: Specify a name for the group.

    Type: You must select the External Group check box.

    External Group:

    Description: Describe the purpose of this user group.

    Manager Name, Manager Tel., Manager Email: Specify the name, telephone number, and e-mail address of the manager of this user group.

    Users: Add or change the users you want to include in this group. You can type the user names, one on each line, or paste them from elsewhere.

    For example, the external group can be matched by using the %:=~/^[Cc][Nn]=G*/ regular expression,. This expression matches all external groups starting with Cn=G and followed by anything where user is part of the group.

    User Groups: From the list of groups you have already defined, select the user groups you want to include as subgroups of this user group. You can also add subgroups to a by dragging and dropping the groups to the target user group in the navigation pane.

  5. Click Finish.

    You can now use this user group in rule conditions or as a script entity.

14.4.3 Creating a Rule for the LDAP Group

After creating a user group, you need to set up rules to use the created External User Group in Commands. For detailed information on adding a rule, see Adding a Rule.

14.4.4 Modifying a Rule for the LDAP Group

  1. On the home page of the console, click Command Control.

  2. In the Command Control pane, click Rules.

  3. Select the rule that you want to modify.

  4. In the details pane, click Modify.

  5. Make the following changes:

    Name: Change the name of the rule.

    Description: Specify a description of the rule.

    User Message: Specify the user message as $<ExtGroups>$.

    Session Capture: Select either On or Off.

    Authorize: Select either Yes or No, depending on whether you want the command protected by the rule to be authorized or not authorized if the rule conditions are met.

    Run User: Select Submit User from the drop-down list.

    Credentials: From the drop-down list, select the required resource. The Run User is automatically populated with the domain user provided in the resource.

    Run Host: Define a run host by selecting the name of the host on which you want to run this command (this overrides any hostname defined through a set command).

    Risk Level: Set a Risk Level of 0 to 99.

    Audit Group: Define an Audit Group. This setting is for use in Compliance Auditor reports.

  6. Click Finish. The settings you have defined for the rule are displayed in the console.

A typical result of the LDAP group lookup rule when a rule is created for a user to run the ID command as a root user is displayed below:

user1@pum-sles10sp3:/root> usrun id








uid=1001(user1) gid=100(users) groups=0(root), 16(dialout), 33(video), 100(users)