Active Directory / LDAP Integration Best Practices
- Updated On 16 Oct 2020
- 2 Minutes To Read
It is highly recommended that organizations that use Active Directory/LDAP for identity and data access management integrate SecureCircle with Active Directory/LDAP. The following are best practices when integrating Active Directory/LDAP with SecureCircle.
Delegate Group Object Read Access to a Restricted User for Integration Authentication
The SecureCircle Server must query the Active Directory/LDAP service via the LDAP protocol to obtain a list of group object names and SIDs. To perform the query, it is necessary to provide the credentials of a user within the Active Directory/LDAP service that has permission to read group objects. While this can be done with a Domain Admin's credentials, it is better to follow the principle of least access and create a user limited to only being able to perform this query. Delegation of control in Microsoft Active Directory is accomplished using the Delegation of Control Wizard, found by right-clicking on a domain or OU in the Active Directory Users and Computers MMC snap-in.
Restrict Integration to OU, as Appropriate
If already using Organizational Units (OUs) to segment and manage users and groups, and if data access policies will be configured only with groups within a particular OU, limiting the integration scope to that OU provides more security (based on the principle of least access) and may improve group import and data access performance by limiting the number of groups visible to the SecureCircle Server.
It is not recommended or necessary to introduce OUs specifically for integrating SecureCircle as this may increase administrative complexity by altering existing management workflows. SecureCircle is tested and performs well in environments with thousands to hundreds of thousands of groups and users.
Use Email-based Invitations to a Special Email Address for Utility Servers
While it is possible to use the Active Directory/LDAP-based SecureCircle Agent on utility servers, such as file servers, it may introduce an additional layer of complexity in determining the login context of local services. Since these endpoints are often restricted, isolated endpoints that do not allow Local/Remote Desktop login from non-admin users, it can be simpler to create an email-based user, (e.g., named "email@example.com") and to install the SecureCircle Agent on the server based on that invitation. In effect, this marks the entire endpoint, regardless of the login context, as a trusted endpoint for the Circles to which that same email has been invited. All services on the utility server will be able to protect data using the SecureCircle Agent, regardless of login context.
Use LDAP/S, Where Possible
LDAP/S provides channel encryption for LDAP queries from the SecureCircle Server, protecting the credentials used for the query and the subsequent response payload. A guide to enabling LDAP/S can be found here:
Adding Active Directory Groups Using Powershell
PowerShell may be used to import Active Directory Groups to the SecureCircle Server. The required script can be found under the Add Active Directory Groups using PowerShell section of our Command Line Reference and Scripts guide.