LDAP
The Lightweight Directory Access Protocol (LDAP) is a widely adopted application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. LDAP directories are commonly used for storing organizational information such as groups, devices, and users. Popular implementations of LDAP include Microsoft's Active Directory (AD), OpenLDAP, and Apple's Open Directory.
You can use the LDAP connector in Brinqa to retrieve computer, group, printer, site, subnet, and user data from your LDAP server. This integration allows the Brinqa Platform to process this data, aiding in the construction of a comprehensive view of your organization's identity landscape, thus enhancing your cybersecurity posture.
This document details the information you must provide for the connector to assess your LDAP server and directories to retrieve data. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select LDAP from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information:
-
Server: LDAP servers can be hosted either in a local environment or in the cloud, such as Azure AD. To ensure secure communication between the Brinqa Platform and your LDAP server, especially when the server is local, you may need to install a Brinqa Agent on the machine and create a data server for it. If this is required, select the data server you have created.
-
Hostname: The IP address or name of the host where the LDAP server is running, identifying the network location of the LDAP server. The default format is
my.ldap.server
. -
Port: The TCP (Transmission Control Protocol) or IP port number that is used to communicate with the LDAP server. Brinqa recommends using port
636
for secure, encrypted connections. The default port,389
, is an unencrypted connection and is not recommended. -
Principal: The distinguished name (DN) that is used to authenticate to the LDAP server, acting similarly to a service account. This account should ideally have READ access to all users and computers within the directory.
- For additional information on distinguished names, see Microsoft's documentation.
-
Password: The password for the Principal account. The password is used alongside the Principal account for authentication purposes.
-
Base Context: A comma-separated list of Organizational Units (OUs) that represent different directory levels or user types. The base context is the starting point within the LDAP directory's tree-like structure for search operations.
LDAP objects may be organized into several subtrees of the directory information tree. This organization accommodates variations in group types, naming conventions, and access controls, among other factors. For instance, specific groups may be organized under
ou=groups,dc=example,dc=com
, while project-related entries might be found inou=projects,dc=example,dc=com
. -
Page size: The number of records to retrieve per search operation. This setting can help manage large amounts of data by processing records in smaller, more manageable batches. The default is 500. It is not recommended to go over 500.
Additional settings
The LDAP connector contains additional options for specific configuration:
-
SSL/TLS protocol: Specify one of the following acceptable SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocol values: TLSv1, TLSv1.1, or TLSv1.2. Brinqa recommends opting for the most current SSL or TLS protocol version available to securely communicate with the LDAP server.
-
Use secure connection: Select this option to ensure that the LDAP connector's connection to the LDAP server is encrypted with SSL or TLS.
-
Upgrade a non-encrypted connection by wrapping it with SSL/TLS: Select this option to allow the connector to upgrade an initially unencrypted connection to a secure one using SSL or TLS. This feature ensures the security of your data, even if the initial connection starts unsecured.
-
Trust all hostnames and certificates: Select this option to bypass the verification of server certificates and host names. This setting enables the connector to establish a connection even when the LDAP server's SSL/TLS certificate cannot be validated or the server hostname(s) does not match the certificate. While this can help facilitate connectivity in situations where organizations create their own certificates or where there isn’t a central system managing these certificates, it reduces security by making the connection vulnerable to man-in-the-middle attacks. You should use this option only as a temporary measure until certificate issues can be resolved by AD administrators and in controlled environments where security risks are understood and managed.
Types of data to retrieve
The LDAP connector can retrieve the following types of data from your LDAP server and directories:
Connector Object | Required | Maps to Data Model |
---|---|---|
Computer | No | Host |
Group | No | Not mapped |
Printer | No | Not mapped |
Site | No | Site |
Subnet | No | Subnet |
User | No | Person |
For detailed steps on how to view the data retrieved from your LDAP server in the Brinqa Platform, see How to view your data.
Operation options
The LDAP Connector supports operation options by using LDAP filters. For additional information on LDAP filters and syntax, please refer to the LDAP Filters documentation.
See connector operation options for information about how to apply them in the Brinqa Platform. For example, to retrieve users from a specific department, the operation option can be:
-
Key:
filters
-
Value:
(departmentNumber=1234)
Always set the Key to filters
. This key and value combination instructs the LDAP connector to only retrieve users belonging to department number 1234.
APIs
The LDAP connector does not use any API endpoints.
Changelog
The LDAP connector has undergone the following changes:
3.1.3
- Fixed an issue where attribute names were returned as
null
for certain fields, resulting in misordered fields and improperly formatted attributes.
3.1.2
-
Fixed an issue where the Computer object sync was failing. As a result, the following attributes were removed from the Computer object:
- HOSTNAME
- PRIVATE_DNS_NAME
- PUBLIC_DNS_NAME
3.1.1
- Added a new setting to trust all host names and certificates.
3.1.0
- Code clean up and general maintenance.
3.0.9
- Added support for Active Directory extension attributes. For additional information, see Microsoft's documentation.
3.0.8
- Code clean up and maintenance.
3.0.4
- Added an error log for enhanced troubleshooting.
3.0.2
- Added default operation options and connection timeouts.
3.0.1
- Minor formatting fixes.
3.0.0
- Initial Integration+ release.