LDAP Sync

LDAP Sync imports an existing corporate Active Directory or POSIX LDAP structure into the Conjur environment.

Overview

LDAP Sync extracts users and groups from an existing, standard LDAP directory server. It prepares required Conjur policy that incorporates the extracted users and groups into the Conjur policy infrastructure. After loading the generated policy, Conjur administrators can assign privileges to the users and groups to access Conjur resources.

A synchronization recognizes and assimilates LDAP naming conventions. It retains hierarchical information about groups and members in the LDAP source.

LDAP Sync is a one-way process with a read-only connection to the LDAP server. Conjur-based directory-management functions and modifications have no effect on the original LDAP database or user information. However, changes or adjustments to the original LDAP naming model are integrated into the Conjur environment with each new synchronization.

How it works

Conjur initiates a secure connection to the LDAP directory. The connection functions as an Authentication Proxy for LDAP communication.

Synchronization uses a filtering mechanism to search for the user and group accounts to extract.

An interactive user interface provides a what-if scenario preview for testing your connection information and trying different filters. The interface displays the results of your search criteria, letting you verify the results before saving the configuration. The configuration values are saved in Conjur policy.

A Conjur command-line command runs the synchronization and subsequent resynchronizations. Because the configurations values are in policy, the exact same settings for connections and filtering are ensured for the initial synchronization and all ad-hoc and scheduled resynchronizations. You can easily change the configuration if needed.

The synchronization command generates complete Conjur policy defining users and groups. The generated policy is ready as is to be loaded into Conjur.

We recommend that you schedule resynchronizations on a regular basis to keep Conjur user accounts aligned with your LDAP Directory. You can use an API for standard schedulers such as Cron or RunDeck, or use a periodic Jenkins job.

Policy generators

LDAP Sync creates valid Conjur policy based on your configurations. There are two policy generators involved in LDAP Sync.

Generator

Purpose

Configuration annotations

This generator collects configuration values that you enter in the LDAP wizard on the Conjur UI. It inserts the information from the UI into an existing Conjur policy. The insertions are annotations to a predefined resource.

The annotations are inserted directly into the Conjur database. This generator does not have access to your policy .yml files and does not update or create any .yml file.

User and group accounts

This generator creates a .yml file of valid Conjur policy. The policy declares users and groups imported from the LDAP directory. You can review the generated policy, and, if you approve it, load it into Conjur.

In this section: