About Microsoft LDAP - Active Directory Protocol
LDAP (Lightweight Directory Access Protocol) is an open-source protocol used for directory services authentication. In other words, LDAP allows applications on the system to communicate with other directory services servers and access information such as computer accounts, users, etc.
The key to breaking easily into any network resides in the organization’s Active Directory (AD), and hackers are well-aware of this fact. To prevent this breach from happening, organizations protect their Active Directory by integrating with Microsoft LDAP.
Supported Actions
SIRP’s integration with Microsoft LDAP allows multiple activities to be initiated from playbooks in SIRP to an Active Directory.
For Active Directory services, actions include: enable and disable a user, add user to group, and remove user from group, etc.
SIRP’s Microsoft LDAP integration app allows you to execute the following actions:
Action | Description |
Get User Info | Action to get user info from the active directory. |
Check User Group | Action to get user group from active directory. |
Add User from Group | Action to add user in a group. |
Remove User from Group | Action to remove a user from a group. |
Disable User | Action to disable a user in the active directory. |
Enable User | Action to enable a user in the active directory. |
Change User DN | Action to change user Distinguished Name (DN) in active directory. |
Get Manager Info | Action to get info of user’s manager from active directory. |
Enable and Configure Active Directory
Step 1: Creating a New User in Active Directory
Note: Active Directory uses the LDAP protocol to create new users, which is required for SIRP to communicate with AD and execute automated actions.
Open the Server Manager, go to the Tools menu and select Active Directory Users and Computers.
Expand the domain and click Users
2. Right-click on the right pane and press New > User.
3. When the New Object-User box displays enter the following details:
a. First name
b. Last name
c. User logon name
4. Click Next.
5. Enter a password and press Next.
6. The user has been created.
Step 2: Manage Active Directory Permissions to Delegate Control to SIRP user account.
Note: An administrator may assign delegation.
To delegate control, first, identify a specific user with the right to join. Then, by using Active Directory Users and Computers, delegate the task of creating/deleting user accounts to a group—in this example, the object is SIRP.
In the Active Directory Users and Computers > Domain Controllers, click the relevant ou where the user resides. (for example, new ou)
Right-click new ou and then click Delegate Control.
3. The Delegation of Control wizard appears. Click Next.
4. Enter the user name
5. On the Users or Groups page, click Add, scroll to users or groups, double-click it, and click Next
6. On the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
7. Click Only the following objects in the folder.
8. From the list, select User objects.
9. In the permissions list, select the Property-specific check box for the required permissions shown in the table below.
In this case select Read userAccountControl and Write userAccountControl.
Note: These permissions would grant the user to enable/disable domain users through an automated action in SIRP.
10. Click Next > Finish
Configure SIRP Application
1. Log in to SIRP, then go to Apps from the left navigation bar.
2. Locate the app named Microsoft LDAP.
3. Enable the Microsoft LDAP app by clicking on the toggle button under the Status column
A new configuration window will pop-up asking for information. Add the following details:
You can find the distinguishedName of the user here
Provide the following information:
a. Host=<server address>
b. USER-DN=<DN of user>
c. Password=<password>
d. Base-DN=<Base DN>
e. Click on save.