Skip to content

Active Directory

Audience: Application Admins

Content Summary: Immuta integrates seamlessly with your enterprise Active Directory (AD) identity manager. Immuta can leverage your AD identity manager for authentication and authorizations or use AD only for authentication while maintaining all user authorizations and groups within Immuta's built-in identity manager.

This page details the configuration options and an example configuration for AD, the integration of which will vary slightly based on your exact AD configuration. Contact your Immuta support professional for full details.

Configuration

The Active Directory identity manager is configured in the Identity and Access Management section of the Application Settings page, but if you have contacted the Immuta Support team and they have instructed you to add advanced configuration options, those options can be managed in the Advanced Configuration section of the Application Settings page:

  • displayName (string): The name of the IAM that will show in the Immuta UI.
  • type (string): The IAM type that is being configured. This value must be ldap for LDAP IAMs.
  • credentials (string): The credentials to use to connect to the LDAP interface.
    • bind_dn (string): The distinguished name to use to connect to the LDAP interface.
    • bind_pw (string): The password to use to connect to the LDAP interface.
  • supportedActions (array): See Supported Actions for details.
  • options (object): Configuration options for the identity manger.
    • useSSL (string)
    • host (string)
    • port (string)
    • userDNPattern (string): DN pattern that is used to directly log in users to the LDAP database. This pattern creates a DN string for "direct" user authentication. The pattern argument %s will be replaced with the username at run-time. This will work only if anonymous binding is allowed and a direct user DN can be used. Leaving this option empty will default to using the userSearchBase and userSearchFilter options.
    • userSearchBase (string): Context to use when searching for users.
    • userSearchFilter(string): Filter expression to be used for searching for users. This value is typically sAMAccountName=%s.
    • groupSearchFilter (string): Filter expression to be used for searching for groups. This value is typically (&(objectClass=group)(cn=%s*)).
    • userGroupSearchFilter (string): Filter expression to be used for searching for groups that a user belongs to. The pattern argument <dn> will be replaced with the distinguished name, and <user> will be replaced with the username. This value is typically (member=<dn>).
  • schema (object): Attributes to be used to map LDAP attributes to Immuta users and groups.
    • profile (object): Attributes to be used to map LDAP users to Immuta user profiles. See Example Configuration for common attributes.
    • authorizations (object): Attributes to be used to LDAP groups to Immuta authorizations.
    • groups (object): Attributes to be used to map LDAP groups to Immuta groups. See Example Configuration for common attributes.
  • defaultPermissions (array(string)): Default permissions to be given to users when they first log in. See Permissions for more information.

Example Configuration

config.yml:

plugins:
  activeDirectoryIAM:
    id: ad
    displayName: Active Directory
    plugin: ldap
    type: ldap
    credentials:
      bind_dn: cn=bind_user,dc=example,dc=com
      bind_pw: secretbindpassword
    supportedActions: ['syncGroups']
    options:
      useSSL: false,
      host: ldap.example.com
      port: 389
      userDNPattern: ""
      userSearchBase: "dc=company,dc=com"
      userSearchFilter: "sAMAccountName=%s"
      groupSearchFilter: "(&(objectClass=group)(cn=%s*))"
      userGroupSearchFilter: "(member=<dn>)"
    schema:
      profile:
        name: cn
        email: mail
        phone: telephoneNumber
        location: physicalDeliveryOfficeName
        position: title
        about: description
        organization: company
        hdfsUser: sAMAccountName
      group:
        name: cn
        email: mail
        description: description
    defaultPermissions:
    - CREATE_DATA_SOURCE