Skip to main content

LDAP

The Lightweight Directory Access Protocol (LDAP) is a widely adopted application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. LDAP directories are commonly used for storing organizational information such as groups, devices, and users. Popular implementations of LDAP include Microsoft's Active Directory, OpenLDAP, and Apple's Open Directory.

You can use the LDAP connector in Brinqa to retrieve computer, group, printer, site, subnet, and user data from your LDAP server. This integration allows the Brinqa Platform to process this data, aiding in the construction of a comprehensive view of your organization's identity landscape, thus enhancing your cybersecurity posture.

This document details the information you must provide for the connector to assess your LDAP server and directories to retrieve data. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select LDAP from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information:

  • Server: LDAP servers can be hosted either in a local environment or in the cloud, such as Azure AD. To ensure secure communication between the Brinqa Platform and your LDAP server, especially when the server is local, you may need to install a Brinqa Agent on the machine and create a data server for it. If this is required, select the data server you have created.

  • Hostname: The IP address or name of the host where the LDAP server is running, identifying the network location of the LDAP server. The default format is my.ldap.server.

  • Port: The TCP (Transmission Control Protocol) or IP port number that is used to communicate with the LDAP server. Brinqa recommends using port 636 for secure, encrypted connections. The default port, 389, is an unencrypted connection and is not recommended.

  • Principal: The distinguished name (DN) that is used to authenticate to the LDAP server, acting similarly to a service account. This account should ideally have READ access to all users and computers within the directory.

  • Password: The password for the Principal account. The password is used alongside the Principal account for authentication purposes.

  • Base Context: A comma-separated list of Organizational Units (OUs) that represent different directory levels or user types. The base context is the starting point within the LDAP directory's tree-like structure for search operations.

    LDAP objects may be organized into several subtrees of the directory information tree. This organization accommodates variations in group types, naming conventions, and access controls, among other factors. For instance, specific groups may be organized under ou=groups,dc=example,dc=com, while project-related entries might be found in ou=projects,dc=example,dc=com.

  • Page size: The number of records to retrieve per search operation. This setting can help manage large amounts of data by processing records in smaller, more manageable batches. The default is 500. It is not recommended to go over 500.

Additional settings

The LDAP connector contains additional options for specific configuration:

  • SSL/TLS protocol: Specify one of the following acceptable SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocol values: TLSv1, TLSv1.1, or TLSv1.2. Brinqa recommends opting for the most current SSL or TLS protocol version available to securely communicate with the LDAP server.

  • Use secure connection: Select this option to ensure that the LDAP connector's connection to the LDAP server is encrypted with SSL or TLS.

  • Upgrade a non-encrypted connection by wrapping it with SSL/TLS: Select this option to allow the connector to upgrade an initially unencrypted connection to a secure one using SSL or TLS. This feature ensures the security of your data, even if the initial connection starts unsecured.

Types of data to retrieve

The LDAP connector can retrieve the following types of data from your LDAP server and directories:

Connector ObjectRequiredMaps to Data Model
ComputerNoHost
GroupNoNot mapped
PrinterNoNot mapped
SiteNoSite
SubnetNoSubnet
UserNoPerson
info

For detailed steps on how to view the data retrieved from your LDAP server in the Brinqa Platform, see How to view your data.

Operation options

The LDAP Connector supports operation options by using LDAP filters. For additional information on LDAP filters and syntax, please refer to the LDAP Filters documentation.

See connector operation options for information about how to apply them in the Brinqa Platform. For example, to retrieve users from a specific department, the operation option can be:

  • Key: filters

  • Value: (departmentNumber=1234)

Always set the Key to filters. This key and value combination instructs the LDAP connector to only retrieve users belonging to department number 1234.

APIs

The LDAP connector does not use any API endpoints.

Changelog

The LDAP connector has undergone the following changes:

3.0.8

  • Code clean up and maintenance.

3.0.4

  • Added an error log for enhanced troubleshooting.

3.0.2

  • Added default operation options and connection timeouts.

3.0.1

  • Minor formatting fixes.

3.0.0