Configuring LDAP
This document provides step-by-step instructions on configuring the LDAP (Lightweight Directory Access Protocol) service in Invicti Enterprise On-Premises. It also explains how members are managed, what happens if you disable the LDAP service, and gives more detail about the LDAP synchronization email notifications.
LDAP is a system-level integration that allows Invicti Enterprise to synchronize users from LDAP servers, facilitating seamless user management and authentication. The most commonly used LDAP server for this purpose is Microsoft Active Directory. This integration ensures efficient and secure user synchronization, enhancing the overall functionality and security of the Invicti Enterprise platform.
IMPORTANT: The LDAP service is available exclusively for Early Access customers. To enable the LDAP service for your Invicti Enterprise On-Premises environment, contact your Customer Success Manager (CSM). |
How to configure the LDAP Service
- Log in to Invicti Enterprise On-Premises.
- Select Settings > LDAP from the left-side menu.
- On the Configure LDAP Service page, select the Enable checkbox to enable the LDAP service.
- Specify the Server with the hostname or IP address of the LDAP server.
- Select the Enable SSL/TLS checkbox to encrypt communication between the client and server. This ensures that data, such as user credentials and directory information, remains secure from interception or tampering by unauthorized parties. This encryption is essential for maintaining secure and confidential data transmission during LDAP synchronization.
- In the Port field, enter the port number that the LDAP server uses.
- Enter the Bind DN. Bind DN is the distinguished name used to bind to the LDAP server. It should follow the LDAP DN structure, for example, CN=Admin, DC=example, DC=com.
- In the Bind Password field, enter the password associated with the LDAP service. This is used to authenticate the connection to the LDAP server.
- In the User Attribute Mappings section, enter the corresponding Email, First Name, and Last Name attributes that match your LDAP server implementation. By default, it uses Microsoft Active Directory attribute names.
- In the Group Attribute Mappings > Members field, provide the LDAP attribute name group members. This should be a valid LDAP attribute, for example, ‘member’. Invicti Enterprise will resolve the members of a user group by using this attribute name.
TIP: LDAP implementations from various vendors may use different attribute names for Email, First Name, Last Name, and Members. |
- Click Verify and Save at the bottom of the screen.
NOTE: Invicti Enterprise will sync LDAP Teams with the LDAP Server every day. If there are missing members, Invicti Enterprise will create them. |
Integrating LDAP with existing teams
LDAP teams do not interfere with the existing teams and structure within Invicti Enterprise; they operate independently. However, it is important to note that LDAP cannot alter or override the current structure in Invicti Enterprise. If you wish to manage everything solely through LDAP in the future, you will need to manually reorganize the current structure in Invicti Enterprise to ensure alignment with their LDAP management.
Members management
Take into account that all modifications to LDAP groups, including creating, reading, updating, and deleting members or groups, must be performed within an LDAP Server rather than within Invicti Enterprise. You cannot create and sync LDAP groups into Invicti Enterprise and then make changes directly within Invicti Enterprise or synchronize those changes back to LDAP. LDAP synchronization operates in a one-way direction: from the LDAP Server to Invicti Enterprise, with the LDAP Server as the authoritative source.
Deleting users from LDAP Teams
When deleting an LDAP team, there are two types of members to consider:
- Members manually invited to the app: For these members, only their membership in the deleted team will be removed. They will retain access to the app if they belong to other teams.
- Members created by LDAP sync:
- If these members belong to other teams, their membership will be removed only from the deleted team.
- If these members do not belong to any other teams, they will be disabled. This ensures that any user created through LDAP synchronization cannot use the system if they are no longer part of any team.
NOTE: Existing users will continue to have access to the app, even without a membership, as long as they had previously set it up. |
Disabling the LDAP integration
If you disable the LDAP feature, LDAP teams will function as regular teams, but their members will no longer sync. Additionally, any new LDAP teams created will remain empty, as synchronization from the LDAP server will cease.
LDAP synchronization email notification
When a user is created through LDAP synchronization, they receive a password reset email. This ensures that the user can set their own password securely. Note that this functionality assumes that the SMTP (Simple Mail Transfer Protocol) settings are correctly configured in the system. Proper SMTP setup is essential for the delivery of these emails and any other system-generated notifications.
To verify and configure SMTP settings, refer to the Email settings document. Ensuring that SMTP is properly set up guarantees that users will receive the necessary emails for password management and other notifications.