Overview
The LDAP / Active Directory (AD) Plugin adds the ability to manage groups and users.
Functionality
The LDAP / Active Directory Plugin provides the functionality to:
- add users as members to existing groups
- remove members from existing groups
- retrieve members of existing groups
- load attributes for an existing user
- retrieve group memberships for an existing user
- update attributes for an existing user
- create a logonHours attribute value using the NL-LDAP-Logon-Hours node
To allow for the necessary functionality, the LDAP bind user must have permissions to perform changes on groups or users and be able to query for user information.
Instance Configuration Parameters
Name for the LDAP / Active Directory instance.
A system-wide unique identifier for this plugin instance used to locate the service.
Drop down list of available transport encryption methods used when connecting to the LDAP / Active Directory server.
The following options are available:
- None – Typically, the connection port is 389.
- LDAP over SSL/TLS – Port 636 is typically used for SSL/TLS connections.
- StartTLS – Typically, the connection port is 389.
When the Encryption Method
is StartTLS
, ensure the certificate is verified. Certificate verification is done against the Mozilla default set.
Domain Controller (LDAP) IP address or hostname.
Typically, port 389 is used for the ‘None’ and ‘StartTLS’ encryption methods. Port 636 is typically used for SSL/TLS connections.
Bind DN, sAMAccountName, or user principal name used to authenticate with the LDAP server. For example, DOMAIN\user or user@domain.com.
Password used to authenticate the Authentication Username
.
Confirm the authentication password for the username.
Flow Node
This node provides LDAP /Active Directory capabilities for managing groups. Specifically, this node allows users to be added or removed from a group as a member.
The display name of the node within the flows.
System-wide unique ID of the plugin instance.
Defines the field(s) to use when searching for the group specified by Group Name
. The available search fields are as follows.
- Common Name
- Group name (pre-Windows 2000) / sAMAccountName
- Either Attribute: Any of the previously defined attributes.
The Group Name
value is used to search the common name of groups within the LDAP server.
The following contexts are supported:
- msg: This selects part of the incoming message as the source of the data. This is the typical choice.
- flow: This selects part of the flow context’s saved data as the source. This information is shared with only the nodes on a given tab.
- global: This selects part of the global context’s saved data as the source. This information is shared by all nodes regardless of tab.
- J: expression: JSONata expression language to perform query and transform operations on the payload.
Configuration option specifying the type of operation to perform:
- Add User to Group: Adds a user to the group
- Remove User from Group: Removes a user from the group
- Get Group Members: Retrieves the current group members
The User Principal Name
, sAMAccountName
, Distinguished Name
, or Security Identifier (objectSid)
of the user to be added or removed from the group.
All directory searches are done within the designated Search DN
.
This node provides Active Directory (LDAP) capabilities for retrieving information about a user or managing attributes associated with a user.
The display name of the node within the flows.
System-wide unique ID of the plugin instance.
The User Principal Name
, sAMAccountName
, Distinguished Name
, or Security Identifier (objectSid)
of the user to be acted upon.
Configuration option specifying the type of operation to perform:
- Load User: Retrieves the selected attributes associated with the
User
- Retrieve Group Membership: Retrieves the list of groups the
User
is a member of - Modify User Attributes: Adds, modifies, or deletes attributes associated with the
User
All directory searches are done within the designated Search DN
.
Attributes to be retrieved for the designated User
.
Attribute updates to be performed on the designated User
. The Attribute
has a few sample drop down values which automatically detect the Data Type
. The Value
context may be updated to select a value from the incoming message or other contexts.
The Buffer
Data Type
must be supplied as a Buffer object. However, when working with the logonHours
attribute, the value may be supplied by the NL-LDAP-Logon-Hours node.
logonHours
attribute for use within an NL-LDAP-User node.
The display name of the node within the flows.
Configuration option specifying the type of operation to perform:
- No Hours: Creates a
logonHours
object without any allowed logon hours - Unrestricted: Creates a
logonHours
object with all hours allowed - Set Hours: Allows fine-grained selection of the allowed login hours
The Output Field
is the location within msg.payload
where the logonHours
object is stored.
Allows fine-grained selection of the allowed login hours.
If Hours in Default Timezone
is checked, the Default Timezone specified on the Security Flow Application Settings screen is used for the hours of the day. If Hours in Default Timezone
is not checked, UTC time is used for the hours of the day.
Learn More
JSON Message Format
The following samples show the JSON content added to the message payload, which conform to the Node Messaging Format. The content exists within the ldap object. The following examples use ad1
for the Unique Id of the plugin:
Add User to Group Success
The italicized, green text is inserted into the message payload upon a successful request to the LDAP server.
"payload": {
"ldap": {
"ad1": {
"action": "add-user",
"response": {
"user": "user@domain.com",
"group": "Test",
"owner": "added",
"member": "added",
"userDn": "[DN of user]",
"groupDn": "[DN of group]",
"searchDn": "[DN of search]",
"wasMember": false
}
}
}
}
Remove User from Group Success
The italicized, green text is inserted into the message payload upon a successful request to the LDAP server.
"payload": {
"ldap": {
"ad1": {
"action": "remove-user",
"response": {
"user": "user@domain.com",
"group": "Test",
"owner": "removed",
"member": "removed",
"userDn": "[DN of user]",
"groupDn": "[DN of group]",
"searchDn": "[DN of search]",
"wasMember": true
}
}
}
}
Error
The italicized, maroon text is inserted into the message payload upon a failed request. In the following example, a non-existent group called Random
was tested against.
"payload": {
"ldap": {
"ad1": {
"action": "remove-user",
"error": {
"errorCode": 5,
"errorMessage": "No matching group found for Random."
}
}
}
}
Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921
©Nevelex Labs, LLC. 2018-2024, All Rights Reserved.
EULA