LDAP / Active Directory

Overview

The LDAP / Active Directory (AD) Plugin adds the ability to manage groups and users.

Functionality

The LDAP / Active Directory Plugin provides the functionality to:

add users as members to existing groups
remove members from existing groups
retrieve members of existing groups
load attributes for an existing user
retrieve group memberships for an existing user
update attributes for an existing user
create a logonHours attribute value using the NL-LDAP-Logon-Hours node

To allow for the necessary functionality, the LDAP bind user must have permissions to perform changes on groups or users and be able to query for user information.

Instance Configuration Parameters

Property

Description

Instance Name

Name for the LDAP / Active Directory instance.

Unique ID

A system-wide unique identifier for this plugin instance used to locate the service.

Encryption Method

Drop down list of available transport encryption methods used when connecting to the LDAP / Active Directory server.

The following options are available:

None – Typically, the connection port is 389.
LDAP over SSL/TLS – Port 636 is typically used for SSL/TLS connections.
StartTLS – Typically, the connection port is 389.

Verify Certificates for StartTLS

When the Encryption Method is StartTLS, ensure the certificate is verified. Certificate verification is done against the Mozilla default set.

Domain Controller (LDAP) Server

Domain Controller (LDAP) IP address or hostname.

Domain Controller (LDAP) Port

Typically, port 389 is used for the ‘None’ and ‘StartTLS’ encryption methods. Port 636 is typically used for SSL/TLS connections.

Authentication (Bind) Username

Bind DN, sAMAccountName, or user principal name used to authenticate with the LDAP server. For example, DOMAIN\user or user@domain.com.

Authentication (Bind) Password

Password used to authenticate the Authentication Username.

Confirm Authentication (Bind) Password

Confirm the authentication password for the username.

Flow Node

This node provides LDAP /Active Directory capabilities for managing groups. Specifically, this node allows users to be added or removed from a group as a member.

Property

Description

Name

The display name of the node within the flows.

Unique ID

System-wide unique ID of the plugin instance.

Group Search Attribute

Defines the field(s) to use when searching for the group specified by Group Name. The available search fields are as follows.

Common Name
Group name (pre-Windows 2000) / sAMAccountName
Either Attribute: Any of the previously defined attributes.

Group Name

The Group Name value is used to search the common name of groups within the LDAP server.
The following contexts are supported:

msg: This selects part of the incoming message as the source of the data. This is the typical choice.
flow: This selects part of the flow context’s saved data as the source. This information is shared with only the nodes on a given tab.
global: This selects part of the global context’s saved data as the source. This information is shared by all nodes regardless of tab.
J: expression: JSONata expression language to perform query and transform operations on the payload.

Action

Configuration option specifying the type of operation to perform:

Add User to Group: Adds a user to the group
Remove User from Group: Removes a user from the group
Get Group Members: Retrieves the current group members

User

The User Principal Name, sAMAccountName, Distinguished Name, or Security Identifier (objectSid) of the user to be added or removed from the group.

Search DN

All directory searches are done within the designated Search DN.

This node provides Active Directory (LDAP) capabilities for retrieving information about a user or managing attributes associated with a user.

Property

Description

Name

The display name of the node within the flows.

Unique ID

System-wide unique ID of the plugin instance.

User

The User Principal Name, sAMAccountName, Distinguished Name, or Security Identifier (objectSid) of the user to be acted upon.

Action

Configuration option specifying the type of operation to perform:

Load User: Retrieves the selected attributes associated with the User
Retrieve Group Membership: Retrieves the list of groups the User is a member of
Modify User Attributes: Adds, modifies, or deletes attributes associated with the User

Search DN

All directory searches are done within the designated Search DN.

Attributes

Attributes to be retrieved for the designated User.

Updates

Attribute updates to be performed on the designated User. The Attribute has a few sample drop down values which automatically detect the Data Type. The Value context may be updated to select a value from the incoming message or other contexts.

The Buffer Data Type must be supplied as a Buffer object. However, when working with the logonHours attribute, the value may be supplied by the NL-LDAP-Logon-Hours node.

This utility node is used to create a logonHours attribute for use within an NL-LDAP-User node.

Property

Description

Name

The display name of the node within the flows.

Action

Configuration option specifying the type of operation to perform:

No Hours: Creates a logonHours object without any allowed logon hours
Unrestricted: Creates a logonHours object with all hours allowed
Set Hours: Allows fine-grained selection of the allowed login hours

Output Field

The Output Field is the location within msg.payload where the logonHours object is stored.

Hours

Allows fine-grained selection of the allowed login hours.

The Microsoft AD server always treats the Default Timezone as being in Standard Time within its UI and, therefore, does not take into account Daylight Savings Time. See the Inside Active Directory book’s overview of the Logon Hours attribute for more information.

Hours in Default Timezone

If Hours in Default Timezone is checked, the Default Timezone specified on the Security Flow Application Settings screen is used for the hours of the day. If Hours in Default Timezone is not checked, UTC time is used for the hours of the day.

Learn More

JSON Message Format

The following samples show the JSON content added to the message payload, which conform to the Node Messaging Format. The content exists within the ldap object. The following examples use ad1 for the Unique Id of the plugin:

Add User to Group Success

The italicized, green text is inserted into the message payload upon a successful request to the LDAP server.

"payload": {
  "ldap": {
    "ad1": {
      "action": "add-user",
      "response": {
        "user": "user@domain.com",
        "group": "Test",
        "owner": "added",
        "member": "added",
        "userDn": "[DN of user]",
        "groupDn": "[DN of group]",
        "searchDn": "[DN of search]",
        "wasMember": false
      }
    }
  }
}

Remove User from Group Success

The italicized, green text is inserted into the message payload upon a successful request to the LDAP server.

"payload": {
  "ldap": {
    "ad1": {
      "action": "remove-user",
      "response": {
        "user": "user@domain.com",
        "group": "Test",
        "owner": "removed",
        "member": "removed",
        "userDn": "[DN of user]",
        "groupDn": "[DN of group]",
        "searchDn": "[DN of search]",
        "wasMember": true
      }
    }
  }
}

Error

The italicized, maroon text is inserted into the message payload upon a failed request. In the following example, a non-existent group called Random was tested against.

"payload": {
  "ldap": {
    "ad1": {
      "action": "remove-user",
      "error": {
        "errorCode": 5,
        "errorMessage": "No matching group found for Random."
      }
    }
  }
}

Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

Contact Us

EULA