Guides
Start typing to search…

🗂️ Active Directory Connector

active-directoryHow to configure your Active Directory connector for fetching user and groups

Below is a step-by-step guide on how to configure the Lumos Active Directory (AD) connector. Each setting is explained in detail, alongside recommended values and examples to help you get started quickly.

1. Enter Authentication Details

These settings determine how the Lumos connector will authenticate to your Active Directory.

Username

Description: The username for your Active Directory service account.

Guidelines:

  • Typically includes the domain if using UPN.
  • Ensure the account has the necessary permissions to read (and optionally modify) user and group objects in AD.

Example:

[email protected]

Password

Description: The password for your Active Directory service account.

Guidelines:

  • Store this securely.
  • If your organization employs password vaults or credential managers, use them to keep this password safe.

2. Domain Name

Description: The domain name (FQDN) or IP address of your Active Directory server.

Guidelines:

  • Use FQDN (e.g., example.com) wherever possible; IP addresses (e.g., 192.168.127.12) are acceptable but less flexible.
  • Ensure the name or IP address is reachable from the machine hosting the connector.

3. Base DN

Description: The base (or root) distinguished name for your directory. This is where the connector starts searching for objects.

Guidelines:

  • Often corresponds to your domain components (e.g., dc=example,dc=com).
  • For multi-domain environments, verify you are targeting the correct domain.

Example:

dc=example,dc=com

4. Port

Description: The port number on which your Active Directory server listens for LDAP/LDAPS requests.

Guidelines:

  • Default LDAP port is 389.
  • Default LDAPS (SSL) port is 636.

5. Protocol

Description: Determines whether to connect using plain LDAP or encrypted LDAPS.

Options:

  • LDAP: Does not encrypt traffic.
  • LDAPS: Encrypts traffic, including user credentials.

Guidelines:

  • Use LDAPS wherever possible to ensure security.
  • If you must use LDAP, ensure you have network-level encryption (e.g., VPN or TLS encapsulation) in place.

6. Validate Certificate

Description: Determines whether the server certificate is validated when using LDAPS.

Guidelines:

  • If enabled, the certificate must be trusted by the local machine running the connector (requires root CA or intermediate CA in the trusted store).
  • Only applies when Protocol is set to LDAPS.

Example:

  • On (recommended for production)
  • Off (use with caution, typically for testing environments)

7. Service Account OUs (optional)

Description: Organizational Units (OUs) containing service accounts in your environment, one OU per line.

Guidelines:

  • List each OU that contains accounts specifically designated for services.
  • Helps Lumos correctly identify, group, or exclude service accounts.

Example:

OU=ServiceAccount,DC=example,DC=com
OU=AnotherServiceAccount,DC=example,DC=com

8. Users Search Base DN (optional)

Description: The subtree in your directory where Lumos will begin searching for user objects.

Guidelines:

  • If not provided, the search base defaults to the Base DN.
  • Commonly set to a specific OU to limit searches to a smaller portion of the directory for efficiency.

Example:

OU=Users,DC=example,DC=com

9. Users Search Filter (optional)

Description: An additional LDAP filter applied to user queries.

Guidelines:

  • Useful for excluding certain object classes or focusing on specific users.
  • Must be in valid LDAP query syntax.

Examples:

  • Include only person objects.
(objectCategory=person)
(&(objectClass=user)(|(memberOf:1.2.840.113556.1.4.1941:=CN=Group1,OU=Groups,DC=example,DC=com)(memberOf:1.2.840.113556.1.4.1941:=CN=Group2,OU=Groups,DC=example,DC=com)))

10. Groups Search Base DN (optional)

Description: The subtree in your directory where Lumos will begin searching for group objects.

Guidelines:

  • If not provided, defaults to the Base DN.
  • Commonly set to an OU containing your security or distribution groups.

Example:

OU=Groups,DC=example,DC=com

11. Groups Search Filter (optional)

Description: An additional LDAP filter applied to group queries.

Guidelines:

  • Useful for narrowing down the scope to specific types of groups (e.g., security groups vs. distribution groups).
  • Must be in valid LDAP query syntax.

Example:

  • Include only specific groups:
(&(objectClass=group)(|(distinguishedName=CN=Group1,OU=Groups,DC=example,DC=com)(CN=Group2,OU=Groups,DC=example,DC=com)))

12. Include Hierarchy

Description: Determines whether to include parent groups when discovering permissions (i.e., nested groups).

Guidelines:

  • If enabled, Lumos will recursively include parent groups (e.g., if a user is in a child group, it will also be considered part of the parent group).
  • Helps ensure a more accurate picture of group memberships and effective permissions.

Example:

  • Checked (Include parent groups)
  • Unchecked (Do not include parent groups)

When you are ready, click Connect to apply the settings. After saving, Lumos will test the connectivity and begin synchronizing the necessary objects based on your configuration.

Troubleshooting Tips

  1. Authentication Failures

    • Verify the Username and Password are correct.
    • Confirm the service account is not locked or disabled.

  2. Connection Errors

    • Check you can reach the Domain Name or IP address from the connector server (DNS resolution, firewall rules, etc.).
    • For LDAPS, confirm ports are open (e.g., 636) and the certificate is trusted.

  3. Incorrect or Empty Search Results

    • Validate your Base DN and Search Base DNs are correct.
    • Temporarily remove or simplify your Search Filters to verify objects appear.
    • Make sure the service account has permissions to read objects in the specified OUs.

  4. Certificate Validation

    • If certificate validation is On, ensure the certificate chain is trusted by the machine running the connector.

If you continue to experience issues, consult your AD connector logs for troubleshooting.

Conclusion

Configuring the Lumos Active Directory connector involves specifying the fundamental connection details (e.g., credentials, domain, port, protocol) and refining your searches (e.g., base DNs, filters) to accurately scope the user and group data in your environment. By following the detailed instructions above and using the provided examples, you should be able to set up the connector successfully and start synchronizing objects into Lumos.

Updated 15 days ago

What’s Next

For more detailed examples of how to use users and groups filters