This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Configuring Member Sources

Describes how to configure Member Sources.

Configure the Member Sources based on the source type, as shown in the following table.

Source TypeSteps to Create Member Source
Active DirectoryConfiguring Active Directory Member Source
FileConfiguring File Member Source
LDAPConfiguring LDAP Member Source
POSIXConfiguring POSIX Member Source
Azure ADConfiguring Azure AD Member Source
DatabaseConfiguring Database Member Source

1 - Configuring Active Directory Member Source

You use the Active Directory type external source to retrieve information on users and user groups from an Active Directory. The Active Directory organizes corporate information on users, machines, and networks in a structural database.

To create an Active Directory member source:

  1. On the ESA Web UI, navigate to Policy Management > Roles & Member Source > Member Sources.

  2. Click Add New Member Source.

    The New Member Source screen appears.

  3. Enter a unique name of the file member source in the Name textbox.

  4. Type the description in the Description textbox.

  5. Select Active Directory from the Source Type drop-down list.

    The Active Directory Member Source screen appears.

  1. Enter the information in the directory fields.

    The following table describes the directory fields for Active Directory member sources.

    Field NameDescription
    HostThe Fully Qualified Domain Name (FQDN), or IP of the directory server.
    PortThe network port on the directory server where the service is listening.
    TLS Options- The Use TLS option can be enabled to create secure communication to the directory server.
    - The Use LDAPS option can be enabled to create secure communication to the directory server. LDAPS uses TLS/SSL as a transmission protocol.
    Note: Selection of the LDAPS option is dependent on selecting the TLS option. If the TLS option is not selected, then the LDAPS option is not available for selection.
    Recursive SearchThe recursive search can be enabled to search the user groups in the active directory recursively. For example, consider a user group U1 with members User1, User2, and Group1, and Group1 with members User3 and User4. If you list the group members in user group U1 with recursive search enabled, then the search result displays User1, User2, User3, and User4.
    Base DNThe base distinguished name where users can be found in the directory.
    UsernameThe username of the Active Directory server.
    Password/SecretThe password of the user binding to the directory server.

  2. Click Save.

A message Member Source has been created successfully appears.

2 - Configuring File Member Source

You use the File type to obtain users or user groups from a text file. These text files reference individual members and groups of members.

In Policy Management, the exampleusers.txt and examplegroups.txt are sample member source files that contain a list of users or groups respectively. These files are available on the ESA Web UI. You can edit them to add multiple user name or user groups. You can also create a File Member source by adding a custom file.

The examplegroups.txt has the following format.

[Examplegroups]
<groupusername1>
<groupusername2>
<groupusername3>

Note: Ensure that the file has read permission set for Others.

Important: The exampleusers.txt or examplegroups.txt files do not support the Unicode characters, which are characters with the \U prefix.

Viewing the List of Users and Groups in the Sample Files

This sections describes the steps to view the list of users and groups in the sample files.

To view list of users and groups in the sample files:

  1. On the ESA Web UI, navigate to Settings > Systems > Files.

  2. Click View, corresponding to exampleusers.txt or examplegroups.txt under Policy Management-Member Source Service User Files and Policy Management-Member Source Service Group Files respectively.

The list of users in the exampleuser.txt file or examplegroups.txt file appear.

Creating File Member Source

This section describes the procedure on how to create a file member source.

To create file member source:

  1. On the ESA Web UI, navigate to Policy Management > Roles & Member Source > Member Sources.

  2. Click Add New Member Source.

    The New Member Source screen appears.

  3. Enter a unique name of the file member source in the Name textbox.

  4. Type the description in the Description textbox.

  5. Select File from the Source Type drop-down list.

  6. Select Upload file from the User File drop-down list.

  7. Click the Browse.. icon to open the file browser.

  8. Select the user file.

  9. Click Upload File icon.

    A message User File has been uploaded successfully appears.

  10. Select Upload file from the Group File drop-down list.

  11. Click the Browse.. icon to open the file browser.

  12. Select the group file.

  13. Click Upload File icon.

    A message Group File has been uploaded successfully appears.

  14. Click Save.

A message Member Source has been created successfully appears.

3 - Configuring LDAP Member Source

You use the Lightweight Directory Access Protocol (LDAP) type user source to retrieve information on users and user groups from a LDAP Server. The LDAP Server facilitates users and directory services over an IP network and provides Web Services for Application Protector.

To create an LDAP member source:

  1. On the ESA Web UI, navigate to Policy Management > Roles & Member Source > Member Sources.

  2. Click Add New Member Source.

    The New Member Source screen appears.

  3. Enter a unique name of the file member source in the Name textbox.

  4. Type the description in the Description textbox.

  5. Select LDAP from the Source Type drop-down list.

    The LDAP Member Source screen appears.

  1. Enter the information in the LDAP member source fields.

    The following table describes the directory fields for LDAP member sources.

    Field NameDescription
    HostThe Fully Qualified Domain Name (FQDN), or IP of the directory server.
    PortThe network port on the directory server where the service is listening.
    Use TLSThe TLS is enabled to create a secure communication to the directory server. LDAPS, which is deprecated, is no longer the supported protocol. TLS is the only supported protocol.
    User Base DNThe base distinguished name where users can be found in the directory. The user Base DN is used as the user search criterion in the directory.
    Group Base DNThe base distinguished name where groups can be found in the directory. The group base dn is used as a group search criterion in the directory.
    User AttributeThe Relative Distinguished Name (RDN) attribute of the user distinguished name.
    Group AttributeThe RDN attribute of the group distinguished name.
    User Object ClassThe object class of entries where user objects are stored. Results from a directory search of users are filtered using user object class.
    Group Object ClassThe object class of entries where group objects are stored. Results from a directory search of groups are filtered using group object class.
    User Login AttributeThe attribute intended for authentication or login.
    Group Members AttributeThe attribute that enumerates members of the group.
    Group Member is DNThe members may be listed using their fully qualified name, for example, their distinguished name or as in the case with the Posix user attribute (cn) value.
    TimeoutThe timeout value when waiting for a response from the directory server.
    Bind DNThe DN of a user that has read access, rights to query the directory.
    Password/SecretThe password of the user binding to the directory server

    Parsing users from a DN instead of querying the LDAP server: By default, a user is not resolved by querying the external LDAP server. Instead, the user is resolved by parsing the User Login Attribute from the Distinguished Name that has been initially retrieved by the Member Source Service. This option is applicable only if the Group Member is DN option is enabled while configuring the Member Source. In this case, the members must be listed using their fully qualified name, such as their Distinguished Name. If the ESA is unable to parse the DN or the DN is not available in the specified format, the user is resolved by querying the external LDAP server.

  2. Click Save.

A message Member Source has been created successfully appears.

4 - Configuring POSIX Member Source

You use Posix LDAP to retrieve information on users and user groups from an internal LDAP Server that uses the Posix schema.

You can retrieve users and user groups from any external LDAP and Posix LDAP. The internal LDAP available on ESA, uses the Posix schema. Thus, when using ESA, it is recommended to use Posix LDAP to configure the connection with the internal ESA LDAP.

To create a Posix LDAP member source:

  1. On the ESA Web UI, navigate to Policy Management > Roles & Member Source > Member Sources.

  2. Click Add New Member Source.

    The New Member Source screen appears.

  3. Enter a unique name of the file member source in the Name textbox.

  4. Type the description in the Description textbox.

  5. Select Posix LDAP from the Source Type drop-down list.

    The Posix LDAP Member Source screen appears.

  1. Enter the information in the directory fields.

    The following table describes the directory fields for Posix LDAP member source.

    Field NameDescription
    HostThe Fully Qualified Domain Name (FQDN), or IP of the directory server.
    PortThe network port on the directory server where the service is listening.
    Use TLSThe TLS can be enabled to create a secure communication to the directory server.
    Base DNThe base distinguished name where users can be found in the directory.
    UsernameThe username of the Posix LDAP server.
    Password/SecretThe password of the user binding to the directory server.

  2. Click Save.

A message Member Source has been created successfully appears.

5 - Configuring Azure AD Member Source

You use the Azure AD type external source to retrieve information for users and user groups from an Azure AD. The Azure AD organizes corporate information on users, machines, and networks in a structural database.

To create an Azure AD member source:

  1. On the ESA Web UI, navigate to Policy Management > Roles & Member Sources > Member Sources.

  2. Click Add New Member Source.

    The New Member Source screen appears.

  3. Enter a unique name of the Azure AD member source in the Name textbox.

  4. Type the description in the Description textbox.

  5. Select Azure AD from the Source Type drop-down list.

    The Azure AD Member Source screen appears.

  1. Enter the information in the directory fields.

    The following table describes the directory fields for the Azure Active Directory member sources.

    Field NameDescription
    Recursive SearchThe recursive search can be enabled to search the user groups in the Azure AD recursively.
    Tenant IDThe unique identifier of the Azure AD instance
    Client IDThe unique identifier of an application created in Azure AD
    User AttributeThe Relative Distinguished Name (RDN) attribute of the user distinguished name. The following user attributes are available:
    - displayName - The name displayed in the address book for the user.
    - userPrincipalName - The user principal name (UPN) of the user.
    - givenName - The given name (first name) of the user.
    - employeeId - The employee identifier assigned to the user by the organization.
    - id - The unique identifier for the user.
    - mail - The SMTP address for the user.
    - onPremisesDistinguishedName - Contains the on-premises Active Directory distinguished name (DN).
    - onPremisesDomainName - Contains the on-premises domainFQDN, also called dnsDomainName, synchronized from the on-premises directory.
    - onPremisesSamAccountName - Contains the on-premises samAccountName synchronized from the on-premises directory.
    - onPremisesSecurityIdentifier - Contains the on-premises security identifier (SID) for the user that was synchronized from the on-premises setup to the cloud.
    -onPremisesUserPrincipalName - Contains the on-premises userPrincipalName synchronized from the on-premises directory.
    - securityIdentifier - Security identifier (SID) of the user, used in Windows scenarios.
    Group AttributeThe RDN attribute of the group distinguished name. The following group attributes are available:
    - displayName - The display name for the group.
    - id - The unique identifier for the group.
    - mail - The SMTP address for the group.
    - onPremisesSamAccountName - Contains the on-premises SAM account name synchronized from the on-premises directory.
    - onPremisesSecurityIdentifier - Contains the on-premises security identifier (SID) for the group that was synchronized from the on-premises setup to the cloud.
    - securityIdentifier - Security identifier of the group, used in Windows scenarios.
    Group Members AttributeThe attribute that enumerates members of the group.
    Note: Ensure to select the same Group Members Attribute as the User Attribute.
    The following group members attributes are available:
    - displayName - The name displayed in the address book for the user.
    - userPrincipalName - The user principal name (UPN) of the user.
    - givenName - The given name, or first name, of the user.
    - employeeId - The employee identifier assigned to the user by the organization.
    - id - The unique identifier for the user.
    - mail - The SMTP address for the user.
    - onPremisesDistinguishedName - Contains the on-premises Active Directory distinguished name (DN).
    - onPremisesDomainName - Contains the on-premises domainFQDN, also called dnsDomainName, synchronized from the on-premises directory.
    - onPremisesSamAccountName - Contains the on-premises samAccountName synchronized from the on-premises directory.
    - onPremisesSecurityIdentifier - Contains the on-premises security identifier (SID) for the user that was synchronized from the on-premises setup to the cloud.
    - onPremisesUserPrincipalName - Contains the on-premises userPrincipalName synchronized from the on-premises directory.
    - securityIdentifier - Security identifier (SID) of the user, used in Windows scenarios.
    Password/SecretThe client secret is the password/secret of the Azure AD application.

  2. Click Save.

A message Member Source has been created successfully appears.

6 - Configuring Database Member Source

This section explains the process to configure a Database Member Source.

You use the Database type to obtain users from database, such as, SQL Server, Teradata, DB2, PostgreSQL, or Oracle. An ODBC connection to the database must be setup to retrieve user information.

The following table describes the connection variable settings for the databases supported in Policy Management.

Database TypeDatabase
SQLSERVERSystem DSN Name (ODBC). For example, SQLSERVER_DSN.
TERADATASystem DSN Name (ODBC). For example, TD_DSN.
ORACLETransport Network Substrate Name (TNSNAME).
DB2System DSN Name (ODBC). For example, DB2DSN.
POSTGRESQLSystem DSN Name. For example, POSTGRES.

Creating Database Member Source

This section describes the procedure on how to create a database member source.

To create a Database Member Source:

  1. On the ESA Web UI, navigate to Policy Management > Roles & Member Source > Member Sources.

  2. Click Add New Member Source.

    The New Member Source screen appears.

  3. Enter a unique name for the file member source in the Name text box.

  4. Type the description in the Description text box.

  5. Select Database from the Source Type drop-down list.

  6. Select one of the following database from the Source drop-down list.

    • Teradata
    • Oracle
    • SQL Server
    • DB2
    • PostgreSQL

  7. To enable the usage of a custom data source name, switch the Use Custom DSN toggle.

    1. Enter the custom data source name in the DSN text box.
    2. Ensure that the specified DSN is present in the odbc.ini configuration file located in the /opt/protegrity/mbs/conf/ directory.

  8. If you are selecting the Oracle database as the source database, then enter the service name in the Service Name text box.

    Note: This step is applicable for the Oracle database only.

  9. If you are not using Custom DSN, then the following steps are applicable.

    1. Enter the database name in the Database text box.

    2. Enter the host name in the Host text box.

    3. Enter the port to connect to the database in the Port text box.

  10. Enter the username in the Username text box.

  11. Enter the password in the Password text box.

  12. Click Save.

The message Member Source has been created successfully appears.