Active Directory Server Integration Configuration
  • 18 Oct 2020
  • 3 Minutes To Read
  • Print
  • Share
  • Dark
    Light

Active Directory Server Integration Configuration

  • Print
  • Share
  • Dark
    Light

The SecureCircle server can be integrated with Active Directory, allowing for centralized management of administrative accounts and users allowed access to circles. While we do connect to an Active Directory server to gather the information required for this integration, the connection done with a single authorization and query for groups. After that, the SecureCircle server does not need to connect again. We do recommend that this connection and query be refreshed whenever a new group is created or an existing group is moved or removed, should those AD groups be desired to be used in SecureCircle operations.

Prerequisites

  • A standard user account should be created in Active Directory. This user will be used to query the directory for information.
  • A directory controller providing LDAP must be accessible from the SecureCircle server.

Administrative Accounts

Login

Accessing the server via https://SERVER will direct you to the default local login page https://SERVER/web/login.html.

Clicking Login as Active Directory Admin

AD-login.png

will direct you to the Active Directory login page https://SERVER/web/loginAds.html.
AD-login2.png

Configuring login for Active Directory

An Active Directory group can be assigned to an administrative identity provider, allowing members of that group to login to the web interface
ad1.png

You will need to fill in the following information to let our server know who is allowed to connect this way.

Setting Name Description Example
Administrative Group This is the Display Name of the administrative group you wish to grant access to. Like above, but Administrator instead of CN=Administrator
Base The LDAP search base to use DC=securecircle,DC=com
Host A hostname or IP address providing LDAP 192.168.1.254
Organizational Unit Providing an organizational unit will only list groups within this OU. Please note, distribution groups will not be used by this function. OU=Groups,OU=SecureCircle
Password Password for the account used to authenticate Password
Port The port you wish to specify for communication to route through. plain text is 389, (start)TLS is 389, SSL is 636
Security A drop-down menu with options for the type of network security to use. None, SSL, TLS
User DN The distinguished name of the account used to authenticate. CN=Administrator,CN=Users,DC=securecircle,DC=com

Another method of doing this is through a direct call to the server API.

The following example uses cURL to make the call to the API. Alternatively a REST client of your choosing can be utilized.

  • Login to the server with your username and password. -c securecircle.cookie is used to save the resulting cookie.
  • $ curl -c securecircle.cookie -d "username=username" -d "password=password" https://server/web/login
  • Submit the correct data to the v2/administrative/createIdentityProvider API.
    $ curl -b securecircle.cookie https://server/api/v2/administrative/createIdentityProvider -d '{ "type": "ads", "administrativeGroupName": "Domain Admins", "password": "password", "configuration": {"host": "securecircle.com", "base": "dc=securecircle,dc=com", "userDn": "cn=Administrator,cn=Users,dc=securecircle,dc=com"} }'

Allowing access to Circles based on group membership

Users logged in to a device joined to an Active Directory domain can be given access to Circles.

Creating a directory service

A directory service is a configuration profile used to save Active Directory connection settings.

Creating the service

  • Login to the SecureCircle server's web interface
  • Under Integrations click Directory Services
  • Click Add Service
  • Configure the settings shown, referencing the settings information above.

Creating a directory policy

A directory policy is a set of groups. Once the policy is created, groups can be imported into the policy. Once a circle is configured to use this policy, members of these groups will be allowed access to the circle.

The group listing is not dynamic

Available settings:

Setting Name Description Example
Allowed User SIDs (comma separated) This allows you to designate a Windows SID which has access to everything with the assigned policy. Warning: This function will override access limitations designated to individual groups attached to this policy. As such, this should be used sparingly and only if you are unable to control access through other means. S-1-5-21-1010-111-010
Directory Service A list of directory services is shown. Groups from this service will be available to import. AD Integration Name
Policy Name This name will be shown in the server's web interface AD Policy 1

Creating the Policy

  • Login to the SecureCircle server web interface.
  • Under Policies click Directory.
  • Click Create Policy
  • Configure the settings shown, referencing Available settings above.

Importing Groups

Login to the SecureCircle server web interface.
Under Policies click Directory.
Click the name of your directory policy.
A new section will appear in the navigation bar.
Click the Import Groups button.
A list of groups retrieved from the directory will be shown.
ad-groups.png

Was This Article Helpful?