Skip to content
English
Go to www.northgrc.com
  • There are no suggestions because the search field is empty.

Microsoft AD via LDAPS

Overview

NorthGRC allows for delegation of user management to Microsoft Active Directory. Users authenticate with AD on every login, in order to make sure that only valid AD users are able to access the content in NorthGRC.

This guide will help you set up the needed configuration in NorthGRC.

Configuration

To set up an Active Directory connection, you need to log into NorthGRC with a user that has the security role of “UserManager”. 

Navigate to Settings > User directories > Add directory > select “Add LDAPS user directory”.

The “Name” field is for information purposes only and will be shown in the list of directories. 

The “Directory server URL” field is the address of the domain server you want to integrate with, as in “ad.mycompany.com” (or IP, not recommended)

The “Active directory domain name” field is the fully qualified domain name of your active directory.

The “Short domain name” field is the NT domain name used as prefix for user’s login id.

The “Mail field name” field is the name of the field in active directory that contains the users email address. The default is “mail” but can be different dependent on the mail server that is used.

The “AD service user” and “AD service user password” fields are the login credentials of an AD user. This user is used when performing nightly updates of users, groups and the user group relations.

The “Certificate” field is the text Certificate (x509 format) from the AD server, which will be used when validating the TLS encrypted connection between NorthGRC and the AD server.

Testing the connection

When all configuration is set, use the Test connection button to test the LDAPS connection. 

On success, you will be able to setup which users and groups that should be imported.

Filter Settings

Small organizations can select to import all users, but it is recommended to only import users that should have access to NorthGRC.

The recommended option is to use “Select by AD group” and then select one or more groups in the “Import these groups” field.

The Group import is recursive, so groups that contain groups (in multiple levels) and users will also be included.

Using AD groups as filters, effectively moves the responsibility of controlling access to NorthGRC into your Active Directory and enables you to use your existing procedures and user management tools.

Synchronization of users and groups is running in non-office hours, but with the “Synchronize when saving” you can start an extra synchronization of users and groups immediately. 

Directory Information

When the AD connection is created, it will be listed on the Settings User Directories page. Here you can edit or delete the settings and view the log information from the last synchronization.

When the connection is synchronizing the users and groups, a progress indication will be shown.

The list also contains how many users and groups that are currently imported from the AD connection. Only users and groups that matches your filters will be imported.


User Login

When an Active Directory connection is defined, the standard NorthGRC login form will also check the provided credentials with all the defined Active Directory servers. 

Users defined in external user directories will not be able to use the “I forgot my password” option - but will get an email notification that they need to contact their helpdesk. 

 

Troubleshooting

Here are some issues that can arise when defining a connection to your AD servers.

Server or Service not found

Connection issues is typically configuration errors or blocks in the path between NorthGRC and the AD server.

  • Check the defined Directory Server URL to see that a valid DNS name or IP number (accessible on the Internet) was entered. You should not include protocol or port number, just the hostname.
  • Check your firewall settings to ensure that NorthGRC is allowed to contact the AD server. Please note that LDAPS protocol is using TCP port 636 (standard LDAP 389 is not available with NorthGRC)
  • Check that your AD server has LDAPS configured and that the service is available on the server.

Connection Access denied

Access issues are typically errors in the configuration, expired passwords or certificates.

  • Check that the full AD name is spelled right
  • Check that the domain short name (NT name) is spelled right
  • Check the credentials for the service lookup user and that the user is not disabled or blocked.
  • Check that the certificate is valid for the AD server and within the date range

No Users or Groups imported

This is normally a filter configuration issue or access rights of the defined service user.

  • Check the selected filter option (recommend using one or more Security Groups)
  • Check that the expected Users and Groups are within the selected filters in AD
  • Check the “Mail Field Name” in AD, the field must be present and have a value for a user to be imported. On AD with no mail server the value should be “userPrincipalName”