How to Set Up Active Directory Custom Sync

June 15, 2023 15:18

You can use a custom JSON configuration to set up a custom Active Directory (AD) sync. To do so, follow the instructions below:

Step 1: Activate the Custom Sync Flag in the Database Table

On your database admin tool (e.g., pgAdmin), open the kv_store table located inside tm_onsite > public.
Add this key, ldap_sync_custom and set its value to true.

Step 2: Load the AD Sync Docker Image

Use SSH to log into your Master VM. For example:

ssh prod@10.52.52.128

Load the custom sync docker image. For example:

docker load -i tera-adsync.tar.gz

Restart the server. For example:

sudo systemctl restart teramind

Step 3: Import the Custom Config on Your Teramind Dashboard

Click the Gear icon near the top-right corner of the Teramind Dashboard.
Click Settings from the pop-up menu.
Select the Active directory tab on the left sidebar.
Enter you LDAP SERVER and LDAP PORT,
Select an ENCRYPTION method (e.g., LDAPS, TLS) and specify a LDAP CERTIFICATE VERIFICATION TYPE (e.g., Accept valid),
Enter the LDAP username in the LDAP LOGIN field,
Optionally, enable the UPDATE LDAP PASSWORD checkbox to update your LDAP password.
Enter a valid JSON configuration in the IMPORT CONFIG field,
Alternatively, you can also upload a JSON file by clicking the UPLOAD CONFIG button,
Click the DOWNLOAD CONFIG button to download the current configuration.

i	Check out the JSON Configuration Schema below to learn more about the JSON format.

Click the SAVE SETTINGS button to save any changes,
Click the IMPORT button to start the import and sync process,
Click the DOWNLOAD LOG button to download the import log.
You will be able to see the import log near the bottom of the screen.

JSON Configuration Schema

Sample Schema

{
    "schema_version": 1,
    "schedule_on": ["08:40 PM","1:24 AM"],
    "logic": [
        {
            "priority": 1,
            "name": "Sync Agents",
            "description": "Test AD sync agents audit",
            "enabled": 1,
            "type": "simulation",
            "base_dn": "DC=qa,DC=local",
            "filter": "(&(objectCategory=person)(name=*)(objectSid=*))",
            "scope": "sub_tree",
            "rules": [
                {
                    "priority": 1,
                    "name": "Rule 1 ",
                    "description": "Add agents rule",
                    "scope": "initial",
                    "matchers": {
                        "logical_op": "or",
                        "filters": [
                            {
                                "attribute": "distinguishedName",
                                "operation": "ends_with",
                                "type": "string",
                                "value": "OU=ou1,OU=root1,DC=qa,DC=local",
                                "inverse": 0
                            }
                        ]
                    },
                    "actions": [
                        {
                            "priority": 1,
                            "name": "Action 1”,
                            "description": "Action to enable Monitoring of agents",
                            "type": "monitoring_enable"
                        }
                    ]
                }
            ]
        }
    ]
}

Explanation

schema_version

Number containing JSON schema version. For example, 1.

period_minutes

Number denoting how often the sync will run. There are two possible values:

0 will run a manual sync.
> 1 will run the synch every specified minute.

Note: you shouldn't use this option with the schedule_on option.

schedule_on

Array of strings containing the schedule of sync execution times. The time format is HH:MM AM/PM. For example, an array like ["08:40 PM","1:24 AM"] will execute the sync 2 times a day.

Note: you shouldn't use this option with the period_minutes option.

logic

Array of logical objects/blocks. Each block has a set of parameters such as LDAP base, DN and search filters.

logic.priority

Number defining the order of execution within the same JSON hierarchy level. For example, 1. Lower value denotes higher priority and are executed first.

logic.name

String containing the name of the logic. For example, "Sync Agents".

logic.description

String containing the description for the logic. For example, "Test AD sync agents audit".

logic.logic.type

String containing the type of import. There are two possible values:

"production" will do the actual import.
"simulation" will run a simulation. It will just print out what the import would do without applying any changes to the database.

logic.base_dn

String containing the root DN (Distinguished Name). For example, "DC=test,DC=com".

logic.filter

String containing the LDAP search filter to be executed. For example, "(&(objectCategory=person)(name=*)(objectSid=*))".

logic.attributes

String containing the query (and import) values of only the attributes separated by semicolon. For example, "objectSid;thumbnailPhoto". In order to search for users or computers by objectSid, add "objectSid" to the list of attributes. By default this is done by email or FQDN (fully qualified domain name) respectively.

logic.scope

String containing the scope of the search filter. There are three possible values:

"base" will query just the object specified in logic.base_dn.
"one_level" will query direct children of the object specified in logic.base_dn.
"sub_tree" will query the whole subtree of the object specified in logic_base_dn.

logic.rules

Array containing rule objects to be executed against each row returned by the LDAP server.

logic.rule.priority

Number defining the order of execution within the same JSON hierarchy level. For example, 1. Lower value denotes higher priority and are executed first.

logic.rule.name

String containing the name of the rule. For example, "Rule 1".

logic.rule.description

String containing the description for the rule. For example, "Add agents rule".

logic.rule.scope

String dictating the scope of the rule. There are two possible values:

"initial" the rule is executed against each row of the initial search query.
"inherit" the rule is executed against each row that was not removed by a higher-priority rule (see logic.rules.action.type > scope_remove below).

logic.rule.matchers

Array containing the matching objects. Defines whether the set of actions is applied to a matched object (row) or the object is skipped

logic.rule.matchers.logical_op

String containing matcher filters logical operation. There are two possible values:

"and" filters are combined by the logical AND operator.
"or" filters are combined by the logical OR operator.

logic.rule.matchers.filters

Array containing the matcher filters.

logic.rule.matchers.filters.attribute

String containing the filter’s attribute name (exact name). For example, "name", "distinguishedName", etc.

logic.rule.matchers.filters.operation

String containing the filter’s operation. The following values are supported:

"is_null" checks if the value is null.
"equals" checks if the value is equal to a string or a number.
"contains" checks if the value contains a string.
"starts_with" checks if the value starts with a string.
"ends_with" checks if the value starts with a string.
"greater_than" checks if the value is > a number.
"less_than" checks if the value is < a number.
"logical_and" checks value and number with the logical AND operator.

logic.rule.matchers.filters.value

String/Number dictating the value to filter. For example, "OU=ou1,OU=root1,DC=qa,DC=local" or 0 or "".

logic.rule.matchers.filters.type

String dictating the type of value being filtered. There are two possible values:

"string" the filter value is a string (not case-sensitive).
"number" the filter value is a number.

logic.rule.matchers.filters.inverse

Number specifying if an inverse match should be performed. There are two possible values:

0 no inverse match.
1 perform inverse match (1 stands for not. For example, not equal, not contains, etc.

logic.rule.actions

Array containing rule actions that will be taken on a matched object (row).

logic.rule.action.priority

Number defining the order of execution within the same JSON hierarchy level. For example, 1. Lower value denotes higher priority and are executed first.

logic.rule.acton.name

String containing the name of the action. For example, "Action 1".

logic.rule.action.description

String containing the description for the action. For example, "Action to enable Monitoring of agents".

logic.rule.action.type

String containing the type of action to perform. There following values are supported:

"department" puts users into department (creates new or updates existing).
"group" puts users and computers into the ad_group (creates new or updates existing).
"tracking_profile" assigns a tracking profile to user.
"flags" update user flags (target.type is either logical AND or "remove"; target.value is a numeric value to be either OR’ed or subtracted).
"behavior_rule" assigns behavior rule(s) to the users.
"role" assigns an account role, one the following: "<administrator>", "<operational_administrator>", "<infrastructure_administrator>", "<employee>" (default is "<employee>").
"acl_object" adds user as a privileged user into the access control policy.
"acl_subject" adds user as a target (subject) user into the access control policy.
"default_task" assigns a default task.
"scope_remove" removes object (row) from the scope (so, a lower-priority rule that "inherit"s the scope will get it without this object),.
"soft_delete" deletes object from Teramind database (marks it as deleted = 1).
"monitoring_enable" enables monitoring of user/computer.
"monitoring_disable" disables monitoring of user/computer.
"monitoring_auto" enables auto-monitoring of user (turns ON during the first login).

logic.rule.action.target

Array containing types and values of the action target.

logic.rule.action.target.type

String containing the target type. Supported values are:

"name" puts users into departments (creates new or updates existing).
"id" puts users and computers into the ad_group (creates new or updates existing).
"name_array" assigns a tracking profile to users.
"id_array" update user flags (target.type is either logical AND or "remove"; target.value is a numeric value to be either OR’ed or subtracted).
"attribute" assigns behavior rule(s) to the users.

logic.rule.action.target.value

String containing the value for the target type. The values are different depending on the logic.rule.action.target.type. Here are some examples:

"<inherit>" can be used for target.type: "name" only. Teramind database object is searched by exact name that is pulled in from AD (valid only for action.type: "department" and "group").
"IT department" for target.type: "name" only (valid only for action.type: "department" and "group").
"135" for target.type: "id" only.
[1, 2, 3] for target.type: "id_array" only.
["BR 1", "BR 2"] for target.type: "name_array" only.