LDAP and Active Directory Configuration
LDAP and Active Directory Configuration
LDAP integration is commonly used for secondary user authentication.
When deployed in a workgroup installation scenario, ObserveIT Console Users are created locally in the ObserveIT Web Console. You can manually create a Console User for each user that requires access to the ObserveIT Web Console. In addition, when using ObserveIT’s Identification Services, users logging on to the monitored servers or workstations with generic-type user accounts, such as the built-in Administrator, will be forced to provide secondary credentials that will be used to identify them. In this scenario, the ObserveIT auditor will know who really used the Administrator account. Similar to Console Users, when deployed in a workgroup installation scenario, local ObserveIT users must be created in the Web Console, and these credentials must be provided to the users logging on to the monitored computers, in order for them to successfully identify themselves with the ObserveIT Identification Services.
By configuring an LDAP connection between the Application and Web Console components and an external LDAP server (such as, a Microsoft-based Active Directory Domain Controller), you can utilize user/group accounts from within an Active Directory domain, obtain access to the ObserveIT Web Console, and provide users with credentials for ObserveIT Identification Services. Secured SSL communication to Active Directory via LDAP (LDAPS) can be configured to encrypt all communication via Active Directory.
The ObserveIT Web Console Server must be able to communicate through LDAP traffic with at least one of the domain controllers in the target Active Directory domain. LDAP traffic uses TCP port 389 in most cases. If a Firewall exists between the ObserveIT Web Console Server and the domain controller, you need to configure the Firewall to properly allow LDAP traffic to and from that domain controller. Consult with your Firewall vendor or manual to learn how to properly configure your Firewall.
RODC support is available for environments that allow read-only access to Active Directory domain controllers.
From the Configuration > User Management > LDAP Settings page of the Web Console, you can configure automatic and manual LDAP targets, and change the default LDAP email field name, if required.
ObserveIT also supports secured SSL communication to Active Directory via LDAP. When LDAPS is configured, all communication via Active Directory will be encrypted. An indication will be displayed in the LDAP Settings page (as shown in the above screenshot).
After an LDAP connection is properly established, the domain appears in two locations:
-
Configuration > Console Users page, where you can create and configure additional ObserveIT Console Users that can administer ObserveIT, or that can be used to view recorded sessions.
-
Configuration > Identification page, where you can configure users that are required to identify themselves with a secondary ObserveIT logon whenever they log on to any ObserveIT-monitored server.
The following topics describe how to:
See Also