Skip to main content

LDAP Authentication

This Integration is part of the LDAP Authentication Pack.#

Overview#


This integration enables using your OpenLDAP or Active Directory user authentication settings in Cortex XSOAR. Users can log in to Cortex XSOAR with their OpenLDAP or Active Directory username and passwords, and their permissions in Cortex XSOAR will be set according to the groups and mapping set in AD Roles Mapping.

  • For connecting to the LDAP server with TLS connection it is recommended to use this integration instead of the server integration Active Directory Authentication.

Use Cases#


Use OpenLDAP or Active Directory user authentication groups to set user roles in Cortex XSOAR.

Configure OpenLDAP on Cortex XSOAR#


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for 'LDAP Authentication' ('OpenLDAP' or 'Active Directory Authentication' should work as well).
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • LDAP Server Vendor (OpenLDAP or Active Directory)
    • Server IP or Host Name (e.g., 192.168.0.1)
    • Port. If not specified, default port is 389, or 636 for LDAPS.
    • User DN (e.g cn=admin,ou=users,dc=domain,dc=com)
    • Base DN (e.g. DC=domain,DC=com)
    • Auto populate groups
    • Groups Object Class
    • Groups Unique Identifier Attribute
    • Group Membership Identifier Attribute
    • User Object Class
    • User Unique Identifier Attribute
    • Page size
    • Connection Type (None, SSL or Start TLS)
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Additional Information#


Steps required for setting AD roles Mapping: (The steps refer to an OpenLDAP server)

  1. Create OpenLDAP child entry of User Account template under wanted Organizational Unit and Posix Group, with uid as part of DN: user
  1. Create OpenLDAP child entry of Posix Group template, with created account from step 1 as memberUid: group
  1. If using different attributes and class/group templates (different objectClass), customize the following default values in the instance configuration:

    • Groups Object Class
    • Groups Unique Identifier Attribute
    • Group Membership Identifier Attribute
    • User Object Class
    • User Unique Identifier Attribute
  2. Navigate to Settings > USERS AND ROLES > ROLES.

  3. Choose the role.

  4. Add the created group from step 2 to AD Roles Mapping. mapping

  1. Login to Cortex XSOAR using uid or full DN and password of the user created in step 1.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ad-authenticate#


Performs a simple bind operation on the LDAP server.

Base Command#

ad-authenticate

Input#

Argument NameDescriptionRequired
usernameThe username for simple authentication.Required
passwordThe password for simple authentication.Required

Context Output#

There is no context output for this command.

Command Example#

!ad-authenticate username=user password=secret

Human Readable Output#

Done

ad-groups#


Fetches LDAP groups under a given base DN.

Base Command#

ad-groups

Input#

Argument NameDescriptionRequired
specific-groupsA list of group object names to fetch. The list is delimited by a number sign (#).Optional

Context Output#

There is no context output for this command.

Command Example#

!ad-groups

Human Readable Output#

{
"Controls": null,
"Entries": [
{
"Attributes": [
{
"Name": "primaryGroupToken",
"Values": [
"111"
]
}
],
"DN": "CN=Admin,CN=Builtin,DC=Test,DC=Test1"
},
{
"Attributes": [
{
"Name": "primaryGroupToken",
"Values": [
"222"
]
}
],
"DN": "CN=Users,CN=Builtin,DC=Test,DC=Test1"
},
],
"Referrals": [
"ldap://domainTest/CN=Test,DC=Test,DC=Test1",
"ldap://domainTest2/CN=Test,DC=Test,DC=Test2"
]
}

ad-authenticate-and-roles#


Performs a simple bind operation on the LDAP server and returns the authenticated user's groups.

Base Command#

ad-authenticate-and-roles

Input#

Argument NameDescriptionRequired
usernameThe username for simple authentication.Required
passwordThe password for simple authentication.Required
attribute-mail-pullWhether to return the mail attribute. Possible values are: "true", "false". Default is "true".Optional
attribute-mailMail attribute to return in the response. Default is "mail".Optional
attribute-name-pullWhether to return the name attribute. Possible values are: "true", "false". Default is "true".Optional
attribute-nameName attribute to return in the response. Default is "name".Optional
attribute-phone-pullWhether to return the phone attribute. Possible values are: "true", "false". Default is "false".Optional
attribute-phonePhone attribute to return in the response. Default is "mobile".Optional

Context Output#

There is no context output for this command.

Command Example#

!ad-authenticate-and-roles username='username' password='password' attribute-phone-pull=true

Human Readable Output#

{
"Controls": [],
"Entries": [
{
"Attributes": [
{
"Name": "memberOf",
"Values": [
"CN=Domain ,CN=Users,DC=Test,DC=Test1"
]
},
{
"Name": "name",
"Values": [
"User Name"
]
},
{
"Name": "primaryGroupID",
"Values": [
"111"
]
},
{
"Name": "mail",
"Values": [
"username@mail.com"
]
},
{
"Name": "mobile",
"Values": [
"555-5555555"
]
}
],
"DN": "CN=User Name,CN=Users,DC=Test,DC=Test1"
}
],
"Referrals": [
"ldap://domainTest/CN=Test,DC=Test,DC=Test1",
"ldap://domainTest2/CN=Test,DC=Test,DC=Test2"
]
}