Creating an LDAP server connection

To create a new LDAP connection to Active Directory:

In the KUMA web interface, open the Settings → Integrations → LDAP server section.
Select or create a tenant for which you want to create a LDAP connection.
In the LDAP server integration by tenant window, click the Add settings for a new tenant button.
In the LDAP server integration window, under Connections, click the Create button.
This opens the Create connection window.
Use the State toggle switch to enable the connection if you want to use this LDAP connection.
Specify a unique name for the LDAP connection. The length of the string must be 1 to 128 Unicode characters.
In the drop-down list, select a secret containing the credentials for connecting to the Active Directory server. To do so:
1. If you previously added a secret, in the Secret drop-down list, select the existing secret (with the credentials type).
2. If you want to create a new secret, click the Create button.
  This opens the Create secret window.
3. In the Name field, enter the name of the secret containing 1 to 128 Unicode characters.
4. In the User and Password fields, enter the credentials for connecting to the Active Directory server.
  You can enter the user name in one of the following formats: <user name>@<domain> or <domain><user name>.
5. Select tags for the secret from the Tags drop-down list.
6. In the Description field, enter a description of the secret up to 4000 Unicode characters long.
7. Click the Create button.
In the URL field, enter the address of the domain controller in the <hostname or IP address of server>:<port> format.
If necessary, click the Add button to specify the addresses of several domain controller servers that may be needed if one of the servers is unavailable. All of the specified servers must reside in the same domain. Only one domain controller server can be specified in one field. If the first domain controller is unavailable, the system tries to connect to the next domain controller in the list, then the next again, until a connection can be established.
Select one of the following TLS encryption types for connecting to the domain controller:
- LDAPS.
  When using LDAPS, an encrypted connection is immediately established over port 636. This type of TLS encryption is configured by default.
- startTLS.
  When the startTLS method is used, first it establishes an unencrypted connection over port 389, then it sends an encryption request. If the STARTTLS command ends with an error, the connection is terminated.
  
  Text exchange protocol enhancement that lets you create an encrypted connection (TLS or SSL) directly over an ordinary TCP connection instead of opening a separate port for the encrypted connection.
  
  Make sure that port 389 is open. Otherwise, a connection with the domain controller will be impossible.
- Insecure.
When using an encrypted connection, it is impossible to specify an IP address as a URL.
In the Certificate field, specify a TLS certificate. In the drop-down list, create a certificate or specify an existing certificate of an accredited certification authority that was used to sign the LDAP server certificate. Custom certificates cannot be used.
- If you already have a certificate, you can select it from the drop-down list.
- If you want to create a new certificate:
  1. In the Certificate drop-down list, select Create new.
    This opens the Create secret window.
  2. In the Name field, enter the name that will be displayed in the list of certificates after the certificate is added.
  3. Click the Upload certificate button to add a file with the Active Directory certificate. Base64-encoded X.509 certificate public keys are supported.
  4. If necessary, select the tags for the certificate from the Tags drop-down list.
  5. If necessary, provide any relevant information about the certificate in the Description field.
  6. Click the Create button.
  The certificate will be uploaded and displayed in the Certificate list.
The Certificate field is optional if you have selected the Insecure TLS encryption type.
In the Timeout in seconds field, indicate the amount of time to wait for a response from the domain controller server.
If multiple addresses are indicated in the URL field, KUMA will wait the specified number of seconds for a response from the first server. If no response is received during that time, the application will contact the next server, and so on. If none of the indicated servers responds during the specified amount of time, the connection will be terminated with an error.
In the Base DN field, enter the base distinguished name of the directory in which you need to run the search query.
In the Custom AD account attributes field, specify the additional attributes that you want to use to enrich events.
Before configuring event enrichment using custom attributes, make sure that custom attributes are configured in AD.

To enrich events with accounts using custom attributes:
1. Add Custom AD Account Attributes in the LDAP connection settings.
  Standard imported attributes from AD cannot be added as custom attributes. For example, if you add the standard accountExpires attribute as a custom attribute, KUMA returns an error when saving the connection settings.
  The following account attributes can be requested from Active Directory:
  - accountExpires
  - badPasswordTime
  - cn
  - company
  - department
  - displayName
  - distinguishedName
  - division
  - employeeID
  - ipaUniqueID
  - l
  - Mail
  - mailNickname
  - managedObjects
  - manager
  - memberOf (this attribute can be used for search during correlation)
  - mobile
  - objectGUID (this attribute always requested from Active Directory even if a user doesn't specify it)
  - objectSID
  - physicalDeliveryOfficeName
  - sAMAccountName
  - sAMAccountType
  - sn
  - streetAddress
  - telephoneNumber
  - title
  - userAccountControl
  - UserPrincipalName
  - whenChanged
  - whenCreated
  After you add custom attributes in the LDAP connection settings, the LDAP attribute to receive drop-down list in the collector automatically includes the new attributes. Custom attributes are identified by a question mark next to the attribute name. If you added the same attribute for multiple domains, the attribute is listed only once in the drop-down list. You can view the domains by moving your cursor over the question mark. Domain names are displayed as links. If you click a link, the domain is automatically added to LDAP accounts mapping if it was not previously added.
  
  If you deleted a custom attribute in the LDAP connection settings, manually delete the row containing the attribute from the mapping table in the collector. Account attribute information in KUMA is updated each time you import accounts.
2. Import accounts.
3. In the collector, in the LDAP mapping table, define the rules for mapping KUMA fields to LDAP attributes.
4. Restart the collector.
  After the collector is restarted, KUMA begins enriching events with accounts.
Click the Create button.
If the tenant was deleted while creating the connection, the New button remains active, but an error message is displayed when attempting to create a connection. The deleted tenant is displayed in the list of available tenants until you refresh the page by pressing the F5 key.

The LDAP connection to Active Directory will be created and displayed in the LDAP server integration window.

Account information from Active Directory will be requested immediately after the connection is saved, and then it will be updated at the specified frequency.

If you want to use multiple LDAP connections simultaneously for one tenant, you need to make sure that the domain controller address indicated in each of these connections is unique. Otherwise, KUMA lets you enable only one of these connections. When checking the domain controller address, the application does not check whether the port is unique.

Page top