Integrate AD with Xshield

Integrate an Active Directory (AD) with the Xshield instance to fetch the user identities from the AD. The user identities fetched from the AD are added to the existing Xaccess user directory for the instance.

To harden user authentication on the user assets, use AD Password policy best practices such as minimum password length, maximum password age, and password history.


Prerequisites

  • AD URL, login credentials, Base DN to selectively fetch user identities and connectivity to the AD setup.


Integrate AD

 You can integrate only one AD with an Xshield instance. 

AD can also be integrated with SSL enabled (LDAPS). In this case, you must keep the public key handy.

  1. Go to Xaccess > Onboard Users.

  2. Click Add IdP.

  3. Click the Others tile and click LDAP.

  4. In the LDAP URL text box, enter the URL to the AD. For example, ldaps://10.30.56.157.

  5. (Optional) In the Public Key for TLS text box, paste the public key for certificate exchanges with the AD server with LDAPS enabled.

  6. In the Search Base text box, enter the search query to filter the list of users in the AD. For example, CN=Users,DC=ad2016,DC=com

  7. In the Username text box, enter the username to the LDAP server. For example, testuser1@ad2016.com.

  8. In the Password text box, enter the password to the LDAP server.

  9. Click Save.


Successful AD integration

Upon successful integration with the AD, you will :

  • See the integrated AD on the Onboard Users page.

  • See the Security groups and Departments fetched from the AD on the Users, Groups, & Departments > Groups page.

  • See the users fetched from the AD on the Users, Groups, & Departments > Users page when they log into the Xaccess private network for the first time. From here on, they are listed on the page as long as they exist in the AD. 


Configure AD to retrieve deleted users or groups

You can retrieve deleted user or groups from the AD server by configuring the Recycle Bin in the AD server.

The username integrated with LDAP configuration of ColorMaster should have Admin access to delete AD users.
Assign admin role to user
  1. Search for Server Manager.
  2. Click Tools > Active Directory Users and Computers.
  3. Right-click on the user to assign the admin role and select Properties.
  4. Go to the Member Of tab and click Add to create a new role for the user.
  5. Enter Admin and apply the changes.
Enable Recycle Bin to retrieve deleted users/groups in ColorMaster
  1. Click Tools > Active Directory Administrative Center.
  2. Right-click on the selected local search base domain. For example, ctqa (local).
  3. Click Enable recycle bin > OK.

    Wait for few minutes. If the Recycle Bin is enabled, you will see the option for enabling the Recycle Bin disabled. If the recycle bin is not enabled, enable it a few more times.
  4. Expand the arrow beside the selected local search base domain to view the Deleted Objects option.

Failed AD integration

AD integration with the instance cannot be completed if you input incorrect AD details, credentials or if the AD setup is not reachable to the instance.


Disable AD integration

Deleting the AD integration from the Xaccess > Onboard Users page disables the integration with the instance. 

  • Select the AD and click Delete in the fly panel.

User-identities data from the deleted AD may still be seen in some reports and widgets in Xshield for up to 30 days.


Set up user attributes refresh interval

The AD integration can be set up to fetch new and updated user attributes from the integrated AD. You can set up a minimum of Fifteen minutes and up to 2 days. The default interval is Four hours.


Next steps

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.