Targeting LDAP directories
For each LDAP sub-tree, add a target system (Manage the system > Resources > Target systems):
Type is LDAP Directory Service, listed under "Network Operating Systems" in the drop-down list.
Address uses syntax described in Table 1, “LDAP target address configuration”.
The Administrator ID and Password identify the administrative account that you created earlier Configuring a target system administrator.
Be sure to enter a fully qualified name for the administrator ID.
The full list of target parameters is explained in Target system options .
Option | Description |
|---|---|
Options marked with a | |
Server | The FQDN, host name, or IP address of the LDAP server. (key: server) |
Base DN | The top level context. (key: basedn) |
Port | The port to connect to (default: 389 ). Use the standard port 636 when SSL is enabled. (key: port) |
Script file | The filename of a script that sets additional attributes. See LDAP Attribute Scripts to learn how to write this script file. (key: script) |
Connection over SSL | Enables an SSL connection when connecting to the target system server. Default is "false". (key: ssl) |
Circumvent certificate validation | Allows SSL connection to the target system server without validating the SSL certification first. (key: sslNoCertValidation) |
Authentication Type | The type of authentication mechanism used by the LDAP server:
|
OUs to list users from | List only those users who exist in one or more containers. See Targeting a specific container or containers for details. (key: accountOUList) |
OUs to list groups from | List only those groups that exist in one or more containers. See Targeting a specific container or containers for details. (key: groupOUList) |
OUs to exclude from listing | Exclude certain OUs to further restrict listing. See Targeting a specific container or containers for details. (key: excludeOUList) |
Persistent list search wait time (in seconds) | The interval time in seconds that the connector will wait to search for changes in the native target. The default value is 7,200 seconds (2 hours). If this value is set too small for a large native target, the connector may not be able to retrieve changes completely in the native target. Setting the value too small will also impose excess load on related services, which drag down the system performance. (key: persistentSearchWait) |
The LDAP target system address syntax is as follows:
{server=(<FQDN or host name> | <IP address>);
basedn=<OU>;
[port=<port number>;]
[script=<script file name>;]
[ssl=<true|false>;]
[sslNoCertValidation=<true|false>;]
[authMethod=<SIMPLE|NEGOTIATION>]
[accountOUList=<OU>;<OU>;... | include:<file name>;]
[groupOUList=<OU>;<OU>;... | include:<file name>;]
[excludeOUList=<OU>;<OU>;... | include:<file name>;]
[persistentSearchWait=<seconds>;]
}Targeting a specific container or containers
You can restrict Bravura Security Fabric to list only those user and group objects that exist in one or more named containers; for example, if your LDAP Directory Service server is divided into organizational units. To do this, on the Target system address configuration page, specify:
OUs to list users from
OUs to list groups from
These fields allow multiple values. To fill in multiple values, select List from the drop-down list box displaying in front of these fields, and use More button to add additional input box(es) when more than one value is given. Value in each input box is treated as a single value, for examples,
CN=myusers,DC=example,DC=com
*,OU=Groups,DC=example,DC=com
OU=people,OU=hr,DC=example,DC=com
You can also exclude OUs to further restrict the listing of users. This option will remove all users and groups that match the OU listed. To do this, specify:
OUs to exclude from listing
When the exclude OUs option and any of the list OUs options are used together, the listing process will list OUs first and then remove objects that match the exclude criteria.
If there are many OUs to list, there is an option to include all OUs in a file. To use the file, select the File option from the drop-down list and specify file name in the field.
These files must be located in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory and contain a list of OUs to list or exclude users from. They cannot be combined into one file and must be separate.
For listing users from OUs:
# KVGROUP-V2.0
listOUs = {
"OU=people,OU=it,DC=example,DC=com";
"OU=people,OU=hr,DC=example,DC=com";
}For listing groups from OUs:
# KVGROUP-V2.0
listGroupOUs = {
"OU=Groups,OU=it,DC=example,DC=com";
"OU=Groups,OU=hr,DC=example,DC=com";
}For excluding OUs:
# KVGROUP-V2.0
excludeOUs = {
"OU=disabled,OU=it,DC=example,DC=com";
"OU=disabled,OU=hr,DC=example,DC=com";
}The connector will not list any OU if an OU file is empty.