Add an LDAP Connector

LDAP : Configure and Import LDAP Groups in VBrick Rev : Add an LDAP Connector

Before you are able to import an LDAP group, you must first create a means for VBrick Rev to communicate with Active Directory and LDAP groups. This is accomplished by creating an LDAP Connector and then running that connector on a host or through a direct connection if you have an on-premise installation. Be aware that the connector will always need to be running on the host you choose for importing and synchronizing your LDAP groups and users if you do not have a direct connection enabled.

To add an LDAP Connector:

Tip: Depending upon the Directory Type you choose, most fields are completed for you when adding an LDAP Connector. If you intend to modify those fields and are unsure of exact values, consult the Directory Type’s documentation for more information:

●Active Directory

1. Navigate to Admin > Devices > Add a Device button.

2. Select Add an LDAP Connector.

3. Complete each section of the form as described below.

Add the LDAP Connector as a Direct Connection

The Device Name section first needs to be completed as either a Direct Connection (normally for on-premise installations) or as a host/node where you will need to inactivate Direct Connection and enter a Mac Address instead.

This example has Direct Connection in active status which will disable the ability to enter a MAC Address.

Field Name	Required	Description
Device Name	Yes	Keep in mind that the Device Name of your connector becomes the parent group name for all imported groups. In the example above, all LDAP groups will be imported under the LDAP Imported Groups heading under the Groups module.
Status		Designates whether or not your connector is currently active or inactive.
Direct Connection		Enabled by default. Recommended for on-premise Rev installations to provide a direct connection to Active Directory. If this setting is enabled, you will not be required to edit your Rev runtime or configuration files described in the topic: Edit and Run the LDAP Connector Runtime Files. Nor will you be required to run an LDAP server host since this setting provides a direct connection to Active Directory. Finally, you will not be required to enter a Mac Address which is used to run one or more LDAP Connectors on a host/node.
Allow LDAP Authentication for Users		Enabled by default. Specifies if users will use LDAP authentication. If disabled, user/group sync will use LDAP while user authentication will use SAML. See: Disable LDAP Authentication for Users.

Add the LDAP Connector through a Connector

To run the LDAP Connector on a host, make sure you disable the Direct Connection and enter a MAC Address for each Connector Node you plan to use. You may configure the status per node or through the entire LDAP Connector as desired (unless there are no active nodes). If more than one node is configured, the system will distribute tasks among the available nodes.

Field Name	Required	Description
Connector Nodes / MAC Address	Yes	Only visible if Direct Connection is set to inactive status. The Mac Address for the Connector Node is required if Direct Connection is inactive and you will be unable to create the connector without it if you plan to run your connector on a host. This should be the address of the host you plan to run your connector from. This is easily obtained by entering the command getmac from a command prompt. The Mac Address is the first line with no dashes. You may add additional nodes by clicking the Add Connector Node button. Further, you may change the status of each node at will by clicking the Active and Inactive buttons. Click the Remove button to remove a node.

The first two MAC Addresses of each node you add may be viewed on the All Devices main page under the Network Address column.

LDAP Connector Status depends on the following node states:

●If LDAP Connector is active and all active LDAP nodes are online: Active

●If LDAP Connector is active and at least one active LDAP node is offline: Warning <# of offline nodes/# of active LDAP nodes>

●If LDAP Connector is active and all active LDAP nodes are offline: Offline (See image above)

●If LDAP Connector is inactive: Inactive

LDAP Server Settings

Once you decide how you are going to run the connector, complete the LDAP Server Settings section.

Field Name	Required	Description
Directory Type	Yes	The directory type that the LDAP Connector supports; Note that when you choose a directory type, the LDAP Server Mapping fields will be automatically populated with the recommended default settings for that type.
LDAP Server Host	Yes	The IP address or name of the host.
Port	Yes	The default port is 389. Use 636 if using SSL.
SSL		Indicates the LDAP connection is over SSL if selected.
Username	Yes	The user name that has been set up for your LDAP server host.
Password	Yes	The password that has been set up for your LDAP server host.

Tip: This topic uses Active Directory as the Directory Type when creating an LDAP Connector. However, selecting Generic LDAP is much the same process.

LDAP Server Mapping

Most of the LDAP Server Mapping section is populated with recommended default values and formats when you choose a Directory Type in the LDAP Server Settings section. The image below displays the server mappings for Active Directory. These fields may be modified if needed. Most fields are required.

Note: Keep in mind that if you change the Root Scope field in the LDAP Server Mapping section after you have already imported groups and users, you will need to re-import your group.

LDAP Groups Specification

The LDAP Groups Specification section is used to import specific LDAP groups and is only visible if the Specify Groups to Import checkbox is selected in the LDAP Server Mapping section.

If you are an organization with hundreds or even thousands of LDAP groups, this may take a considerable amount of time. You may use the Specify Groups to Import checkbox to enter the LDAP group you want to import instead. This will open the LDAP Groups Specification section where you may enter the Distinguished Name (DN) of the LDAP group to be imported seen in the example below.

By default, the Specify Groups to Import checkbox is deselected which means that all LDAP groups associated with your Active Directory server will need to be retrieved and displayed for potential import when you click the Add Groups action for an LDAP Connector device or the Import Group From LDAP button from the Groups module, seen in the image below.

Keep in mind:

●You must enter the LDAP DN name exactly as it appears. If it is misspelled or entered incorrectly it will not import. Note: It is not case sensitive.

●If you use this method, you may no longer use the Add Groups action for an LDAP Connector device or the Import Group From LDAP button from the Groups module until the Specify Groups to Import checkbox is once again deselected.

●If the checkbox is deselected and you want to import new groups, then the Reset Connector Sync button must used to manually sync the connector; or you may also wait until the next scheduled sync interval has been performed. See: LDAP Server Synchronization Settings.

User Record Mapping

Similar to the LDAP Server Mapping section, the User Record Mapping section is populated with recommended default values and formats when you choose a Directory Type in the LDAP Server Settings section. The image below displays the user record mappings for Active Directory. These fields may be modified if needed. Most fields are required.

LDAP Server Synchronization Settings

The LDAP Server Synchronization Settings section is used to specify the sync interval from Active Directory to VBrick Rev.

You can specify a sync interval in minutes or hours. The recommended interval is 24 hours; particularly if importing and/or syncing large groups of users so you do not tie up server resources during peak usage time by your end users. Note that you must specify a synchronization interval.

If your sync needs to be reset for any reason, you may use the Reset Connector Sync link in the Actions drop-down on the All Devices form to do so.