Creating LDAP server integration
To create an integration with an LDAP server:
- In the Administration → Integrations → LDAP section, click the Connect server button.
The LDAP server settings window opens.
- Select certificate validation mode for connection to the LDAP server. By default, Certificate chain mode is specified and the certificates saved by Kaspersky Container Security during the first connection to the LDAP server are verified. You can also select Root certificate mode and enter your root certificate details in the corresponding text field.
Do not change the default certificate validation mode unless you are using a root certificate to connect to the LDAP server.
- Specify the following required settings:
- Web address (URL) of your company's LDAP server.
The web address of the LDAP server is specified as follows:
ldap://<host>:<port>. For example:ldap://ldap.example.com:389. - The name and password of the technical user account.
Bind DN is the distinguished name of the technical user account that is necessary for initial authentication and searching for a user in Active Directory.
You can specify the name of the technical user account in full or in the <
login@domain>format if your LDAP server supports this name format for authentication.In the Bind DN password field, you must enter the password corresponding to the specified account name.
Before updating the solution, make sure that the Bind DN and Bind DN password fields are filled in. If these settings are not specified, LDAP server integration will not work.
- Base DN is the name that uniquely identifies and describes a record of the LDAP directory server.
For example, the base distinguished name for example.com is
dc=example,dc=com.
- Web address (URL) of your company's LDAP server.
- If necessary, Kaspersky Container Security cane use available data to fill in the remaining fields of the integration creation form. To this end, depending on why you are creating the integration, do one of the following:
- If you want to create an integration with the server using the LDAP protocol, click the Autofill as LDAP button.
- If you want to configure the integration directly for the group in the Active Directory service that is associated with your role in Kaspersky Container Security, click the Autofill as Active Directory button.
Kaspersky Container Security specifies attributes of parameter values, not the values themselves. For example, the solution specifies an attribute of the user name that can be used to find the user, not the user name directly.
The solution populates the integration creation form with the following attributes of parameter values:
- User filter for defining the user search settings in Active Directory.
- Group filter for defining the group search settings in Active Directory.
Kaspersky Container Security uses the most general filter values to ensure operation for virtually all possible configurations. When configuring User filter and Group filter, we recommend that you store only those attribute values that are used in Active Directory.
- Under Base schema, the solution specifies the following settings:
- Organizational unit name attribute
- Distinguished name attribute
- Under User lookup schema, the solution specifies the following settings:
- User first name attribute.
- User lastname attribute.
- Group name attribute.
- User username.
- Group member.
- User email attribute.
- User member of.
If necessary, you can edit the values specified by the solution in the integration creation form.
- To check if the values are specified correctly, click Test connection.
Kaspersky Container Security will display a notification informing you of the successful connection to the LDAP server or a failure to establish the connection.
- Click Save.
If the LDAP server certificate changes, reconfigure the integration.
You can use the configured integration when creating and assigning user roles.