Kaspersky Container Security

Configuring LDAP server integration

Kaspersky Container Security lets you connect to servers of external

that are used in your organization . This is an integration with a specific group in .

Connection to an external directory service over the LDAP protocol enables you to perform the following tasks:

  • Configure user accounts to take into account data from an external directory service for working with Kaspersky Container Security.
  • Correlate user roles in Kaspersky Container Security to groups of users from Active Directory. Users in these groups will be able to use their domain account credentials to log in to the solution web interface and access application functionality based on their assigned role.

    We recommended that you create these user groups in Active Directory in advance to allow them to complete authorization using their domain accounts in the Kaspersky Container Security web interface.
    An email address must be indicated for user accounts in Active Directory.

In this Help section

Creating LDAP server integration

Viewing, configuring, or deleting an LDAP server integration

Testing connection with LDAP server

Gaining access to Active Directory group

Page top
[Topic 254129]

Creating LDAP server integration

To create an integration with an LDAP server:

  1. In the AdministrationIntegrationsLDAP section, click the Connect server button.

    The LDAP server settings window opens.

  2. Select certificate validation mode for connection to the LDAP server. By default, Certificate chain mode is specified and the certificates saved by Kaspersky Container Security during the first connection to the LDAP server are verified. You can also select Root certificate mode and enter your root certificate details in the corresponding text field.

    Do not change the default certificate validation mode unless you are using a root certificate to connect to the LDAP server.

  3. Specify the following required settings:
    • Web address (URL) of your company's LDAP server.

      The web address of the LDAP server is specified as follows: ldap://<host>:<port>. For example: ldap://ldap.example.com:389.

    • The name and password of the technical user account.

      Bind DN is the distinguished name of the technical user account that is necessary for initial authentication and searching for a user in Active Directory.

      You can specify the name of the technical user account in full or in the <login@domain> format if your LDAP server supports this name format for authentication.

      In the Bind DN password field, you must enter the password corresponding to the specified account name.

      Before updating the solution, make sure that the Bind DN and Bind DN password fields are filled in. If these settings are not specified, LDAP server integration will not work.

    • Base DN is the name that uniquely identifies and describes a record of the LDAP directory server.

      For example, the base distinguished name for example.com is dc=example,dc=com.

  4. If necessary, Kaspersky Container Security cane use available data to fill in the remaining fields of the integration creation form. To this end, depending on why you are creating the integration, do one of the following:
    • If you want to create an integration with the server using the LDAP protocol, click the Autofill as LDAP button.
    • If you want to configure the integration directly for the group in the Active Directory service that is associated with your role in Kaspersky Container Security, click the Autofill as Active Directory button.

    Kaspersky Container Security specifies attributes of parameter values, not the values themselves. For example, the solution specifies an attribute of the user name that can be used to find the user, not the user name directly.

    The solution populates the integration creation form with the following attributes of parameter values:

    • User filter for defining the user search settings in Active Directory.
    • Group filter for defining the group search settings in Active Directory.

      Kaspersky Container Security uses the most general filter values to ensure operation for virtually all possible configurations. When configuring User filter and Group filter, we recommend that you store only those attribute values that are used in Active Directory.

    • Under Base schema, the solution specifies the following settings:
      • Organizational unit name attribute
      • Distinguished name attribute
    • Under User lookup schema, the solution specifies the following settings:
      • User first name attribute.
      • User lastname attribute.
      • Group name attribute.
      • User username.
      • Group member.
      • User email attribute.
      • User member of.

    If necessary, you can edit the values specified by the solution in the integration creation form.

  5. To check if the values are specified correctly, click Test connection.

    Kaspersky Container Security will display a notification informing you of the successful connection to the LDAP server or a failure to establish the connection.

  6. Click Save.

If the LDAP server certificate changes, reconfigure the integration.

You can use the configured integration when creating and assigning user roles.

Page top
[Topic 295783]

Viewing, configuring, or deleting an LDAP server integration

To view the LDAP server connection:

Go to the Administration → Integrations → LDAP section.

Kaspersky Container Security displays the following information about the connected LDAP server:

  • The web address of the connected LDAP server.
  • The status of the last server connection—Success, Not available, or Error. If Error is displayed, the solution also displays a brief description of the connection error.

To edit LDAP server integration settings:

In the Administration → Integrations → LDAP section, click the Edit settings button.

Kaspersky Container Security opens the page containing the form for LDAP server integration data.

To delete an integration with an LDAP server:

  1. In the Administration → Integrations → LDAP section, click Delete integration.
  2. In the window that opens, confirm the deletion.
Page top
[Topic 274660]

Testing connection with LDAP server

To test connection with the LDAP server:

  1. Go to the Administration → Integrations → LDAP section.
  2. Do one of the following:

Kaspersky Container Security will display a notification informing you of the connection to the LDAP server or a failure to establish the connection.

Page top
[Topic 286667]

Gaining access to Active Directory group

After the integration with the LDAP server is configured, you can specify an Active Directory group for each Kaspersky Container Security role. After authorizing their account credentials, the users from this group gain access to solution functionality based on their defined roles.

Page top
[Topic 254187]