Audience: Application Admins
Content Summary: Immuta integrates seamlessly with your enterprise Active Directory (AD) identity manager. Immuta can leverage your AD identity manager for authentication and authorizations or use AD only for authentication while maintaining all user authorizations and groups within Immuta's built-in identity manager.
This page details the configuration options and an example configuration for AD, the integration of which will vary slightly based on your exact AD configuration. Contact your Immuta support professional for full details.
The Active Directory identity manager is configured in the Identity and Access Management section of the Application Settings page, but if you have contacted the Immuta Support team and they have instructed you to add advanced configuration options, those options can be managed in the Advanced Configuration section of the Application Settings page:
displayName(string): The name of the IAM that will show in the Immuta UI.
type(string): The IAM type that is being configured. This value must be
ldapfor LDAP IAMs.
credentials(string): The credentials to use to connect to the LDAP interface.
bind_dn(string): The distinguished name to use to connect to the LDAP interface.
bind_pw(string): The password to use to connect to the LDAP interface.
supportedActions(array): See Supported Actions for details.
options(object): Configuration options for the identity manger.
userDNPattern(string): DN pattern that is used to directly log in users to the LDAP database. This pattern creates a DN string for "direct" user authentication. The pattern argument
%swill be replaced with the username at run-time. This will work only if anonymous binding is allowed and a direct user DN can be used. Leaving this option empty will default to using the
userSearchBase(string): Context to use when searching for users.
userSearchFilter(string): Filter expression to be used for searching for users. This value is typically
groupSearchFilter(string): Filter expression to be used for searching for groups. This value is typically
userGroupSearchFilter(string): Filter expression to be used for searching for groups that a user belongs to. The pattern argument
<dn>will be replaced with the distinguished name, and
<user>will be replaced with the username. This value is typically
schema(object): Attributes to be used to map LDAP attributes to Immuta users and groups.
profile(object): Attributes to be used to map LDAP users to Immuta user profiles. See Example Configuration for common attributes.
authorizations(object): Attributes to be used to LDAP groups to Immuta authorizations.
groups(object): Attributes to be used to map LDAP groups to Immuta groups. See Example Configuration for common attributes.
defaultPermissions(array(string)): Default permissions to be given to users when they first log in. See Permissions for more information.
plugins: activeDirectoryIAM: id: ad displayName: Active Directory plugin: ldap type: ldap credentials: bind_dn: cn=bind_user,dc=example,dc=com bind_pw: secretbindpassword supportedActions: ['syncGroups'] options: useSSL: false, host: ldap.example.com port: 389 userDNPattern: "" userSearchBase: "dc=company,dc=com" userSearchFilter: "sAMAccountName=%s" groupSearchFilter: "(&(objectClass=group)(cn=%s*))" userGroupSearchFilter: "(member=<dn>)" schema: profile: name: cn email: mail phone: telephoneNumber location: physicalDeliveryOfficeName position: title about: description organization: company hdfsUser: sAMAccountName group: name: cn email: mail description: description defaultPermissions: - CREATE_DATA_SOURCE