Users synchronization¶
User is one of the fundamental data model entity. Only defined users are allowed to connect to monitored servers. Wheel Fudo PAM features automatic users synchronization service which enables importing users information from Active Directory servers.
New users definitions and changes in existing objects are imported from the directory service periodically every 5 minutes. Deleting a user object from an AD or an LDAP server requires performing the full synchronization to reflect those changes on Wheel Fudo PAM. The full synchronization process is triggered automatically once a day at 00:00, or can be triggered manually.
Note
Users imported from the catalog service cannot be edited. To edit a user definition imported from an LDAP or an AD server, disable the Synchronize with LDAP
option for the given user.
Configuring users synchronization service
To enable users synchronization feature, proceed as follows.
- Select > .
- Select Enabled.
- Select the data source type from the Server type drop-down list.
- Provide the user authentication information to access user data on given server.
- Enter domain name, to which imported users definition belong to.
- In the Base user field, provide base DN for directory tree where users’ definitions are stored (eg.
DC=tech,DC=whl
). - In the Base group field, provide base DN for directory tree where groups’ definitions are stored (eg.
DC=tech,DC=whl
).
Note
DN parameter should not contain any white space characters.
- Define filter for user records, which are subject to synchronization.
- Define filter for user groups, which are subject to synchronization.
- In the Servers section, provide the directory server’s IP address and port number.
Note
Click . to add more directory servers.
- Select the Page LDAP results option to enable paging.
- Select the Encrypted connection option to enable encryption.
- Define user information mapping.
Note
Fields mapping enables importing users information from nonstandard attributes, e.g. telephone number defined in an attribute named mobile instead of the standard telephoneNumber.
- Click . to add users group mapping.
- Type in user group and select desired entry.
- Assign safes to user groups.
- Assign external authentication sources to user groups.
Note
External authentication sources are assigned to users in the exact sequence they are defined in groups mapping. Thus if the same user is present in more than one group, Wheel Fudo PAM will be authenticating him against external authentication sources starting from those defined in the first group mapping defined.
For example:
A user is assigned to groups A and B. Group B is mapped to Safe RDP
and has CERB
and Radius
authentication sources assigned. Group A is second in order and it is mapped to Safe SSH
and has AD
authentication source assigned.
Authenticating a user, Wheel Fudo PAM will send requests to external authentication sources in the following order:
- CERB.
- Radius.
- AD.
- Click .
Note
The
option enables processing changes in directory structures which cannot be processed during periodical synchronization, eg. deleting a defined group or deleting a user.The full synchronization process is triggered automatically once a day at 00:00, or can be triggered manually.
Related topics: