Directory Integration

Overview

To allow users to connect to resources with their directory logins, then you need create a authentication provider and grant permissions to the users.

Access and Permissions can be assigned to AD accounts directly in Mamori or via a Mamori role that is linked to an directory group (name or CN)

To configure cloud directories (Azure, Okta & Duo) simply select them instead of LDAP when following the guide to creating a new provider.
Directory logins can be optionally extended to be multi-factored by setting the 2FA method for either the directory provider or individual accounts.
When a directory user is deleted, disabled or expires, then the login will no longer authenticate via Mamori. However, the stale Mamori linked accounts will persist until the synchronize operation is executed. Synchronizing will logically remove the stale linked accounts.

General Steps

Step 1 - Create Authentication provider for directory

Step 2 - Set 2FA method (optional)

Step 3 - Set authentication chain (if more than 1 directory)

Step 4 - Grant access & permissions to directory users

method 1 - Map directory groups to Mamori roles

or

method 2 - Grant Mamori roles directly to directory users

Step 5 - Schedule Synchronize to clean up terminated accounts


Create Active Directory / LDAP

Prerequisites

  • You’ll need an LDAP user with bind privileges to complete these tasks.
  • If you plan on managing permissions by mapping roles to directory groups or organizational units, then ensure your directory users are in the right directory groups and/or organizational units.

Add Provider

Click Server Settings > Authentication Providers

Click

Name the provider

Choose Generic LDAP from the Authentication Provider list.

Fill in these fields on the Settings tab:

FieldDescription
LDAP / Active Directory ServerYour server name, e.g., company.com
LDAP User (Bind DN) & PasswordYour LDAP user with bind credentials
Base DN (Optional)Click Browse Directory then select the folder(s) with the users
Users Container / Organizational Unit stringYou can manually enter a CN or OU or have it automatically set by selecting a folder from the AD Browser
Search FilterAccept the default or write your own filter
MFA Provider (Optional)The 2FA method to apply to all directory logins

Advanced Options

FieldDescription
Synchronize UsersWill display your directory users with Mamori Users.

Set to false if you want to map AD groups to Mamori Roles.

Set to true if you want to directly grant Mamori roles and permissions to AD users

Granting Permissions - via directory group

Click Roles

Click

Next, enter details in user dialog

FieldDescription
Role IDthe Mamori role name
External Namethe directory group, CN or OU to link this role to
PriorityA ranking to resolve conflicts due to a user having the same permission type via multiple roles

Granting Permissions - directly to a user

Click Users

Click DIRECTORY SERVICE USERS and find the user

Click if the directory user is not in the list

Next, edit the user and set their permissions


For Administrators

Synchronizing Directory Users

To clean up Mamori directory accounts that are linked to invalid AD logins you can either manually execute the syncronize operation via the users screen or schedule the synchronize.

Once a directory login becomes invalid that login will no longer authenticate via Mamori even if the Mamori directory account exists. The clean up is purely to remove stale accounts.

Scheduling Synchronize

Click Console

In the console editor run the create job statement

  --
  --  Example of synchronize running every 15th minute
  --
  CREATE JOB 'directory_refresh' 
      CRONTRIGGER '0 */15 * * * ?' 
      AS { CALL RELOAD_USERS() };

 
   SELECT * FROM "SYS"."MAMORIJOBS";    





Querying an LDAP server

Click Console

to see all the available users in a directory

   --parameters (directory name, user name)
   call directory_search(null, '');   

For a custom LDAP query

   --parameters (directory name, user name)
   call LDAP_SEARCH('YOUR LDAP SERVER'
              ,'LDAP BIND USER'
              ,'USER PASSWORD'
              ,'(|(objectClass=user)(objectClass=inetOrgPerson))'
              ,'THE CN TO SEARCH FROM');

Edit this page on GitHub Updated at Sun, May 14, 2023