Importing users from Active Directory

Importing Active Directory users to Forcepoint DSPM offers the following benefits:
  • Centralized User Management – By importing AD users, you can manage all users accounts from a single application, simplifying administration and reducing the risk of errors.
  • Automated Updates – Changes in AD, such as adding and removing users, are reflected inForcepoint DSPM when synchronization is enabled, ensuring that user’s data is always up to date.

These benefits collectively enhance the efficiency, security, and compliance of your organization’s data management processes.

AD Users are added to Forcepoint DSPM through Keycloak. The following video steps you through the process of configuring Keycloak’s User Federation.

Steps

  1. Open a browser and type the following URL to access Keycloak. https://<your_DSPM_IP>/auth/admin/master/console.
  2. Log in as admin.
  3. Ensure the gv realm selected.
  4. Navigate to User Federation.
  5. Select Add Ldap providers.
  6. Fill in the UI display name and Vendor fields.

    UI display name Display name of provider when linked in the Admin UI.
    Vendor LDAP vendor(provider)
  7. Fill in the Connection URL, Enable StartTLS, Use Truststore SPI, Connection pooling, Connection timeout, Bind type, Bind typeBind DN, and Bind credentials fields.

    Connection URL Connection URL to your LDAP server
    Enable StartTLS Encrypt the connection to LDAP using StartTLS which will disable connection pooling.
    Use Truststore SPI Specifies whether LDAP connection will use the Truststore SPI with the truststore configured in command-line options. 'Always' means that it will always use it. 'Never' means that it will not use it. Note that even if Keycloak truststore is not configured, the default java cacerts or certificate specified by 'javax.net.ssl.trustStore' property will be used.
    Connection pooling Determines if Keycloak should use connection pooling for accessing LDAP server.
    Connection timeout LDAP connection timeout in milliseconds.
    Bind type Type of the authentication method used during LDAP bind operation. It is used in most of the requests sent to the LDAP server. Currently only 'none' (anonymous LDAP authentication) or 'simple' (bind credential + bind password authentication) mechanisms are available.
    Bind DN DN of the LDAP admin, which will be used by Keycloak to access LDAP server
    Bind credentials Password of LDAP admin. This field is able to obtain its value from vault, use ${vault.ID} format.
  8. Fill in the Edit mode, Users DN, Username LDAP attribute, RDN LDAP attribute, UUID LDAP attribute, User object classes, User LDAP filter, Search scope, Read timeout, and Pagination fields.
    Edit mode READ_ONLY is a read-only LDAP store. WRITABLE means data will be synced back to LDAP on demand. UNSYNCED means user data will be imported, but not synced back to LDAP.
    Users DN Full DN of LDAP tree where your users are. This DN is the parent of LDAP users. It could be for example 'ou=users,dc=example,dc=com' assuming that your typical user will have DN like 'uid='john',ou=users,dc=example,dc=com'.
    Username LDAP attribute Name of the LDAP attribute, which is mapped as Keycloak username. For many LDAP server vendors it can be 'uid'. For Active directory it can be 'sAMAccountName' or 'cn'. The attribute should be filled for all LDAP user records you want to import from LDAP to Keycloak.
    RDN LDAP attribute Name of the LDAP attribute, which is used as RDN (top attribute) of typical user DN. Usually it's the same as the Username LDAP attribute, however it is not required. For example for Active directory, it is common to use 'cn' as RDN attribute when username attribute might be 'sAMAccountName'.
    UUID LDAP attribute Name of the LDAP attribute, which is used as a unique object identifier (UUID) for objects in LDAP. For many LDAP server vendors, it is 'entryUUID'; however some are different. For example, for Active directory it should be 'objectGUID'. If your LDAP server does not support the notion of UUID, you can use any other attribute that is supposed to be unique among LDAP users in tree. For example 'uid' or 'entryDN'.
    User object classes All values of LDAP objectClass attribute for users in LDAP, divided by commas. For example: 'inetOrgPerson, organizationalPerson'. Newly created Keycloak users will be written to LDAP with all those object classes and existing LDAP user records are found just if they contain all those object classes.
    User LDAP filter Additional LDAP filter for filtering searched users. Leave this empty if you don't need an additional filter. Make sure that it starts with '(' and ends with ')'.
    Search scope For one level, the search applies only for users in the DNs specified by User DNs. For subtree, the search applies to the whole subtree. See LDAP documentation for more details.
    Read timeout LDAP read timeout in milliseconds. This timeout applies for LDAP read operations.
    Pagination Whether the LDAP server supports pagination.
  9. Enable the Import users, Sync Registrations, Batch size, Periodic full sync, Periodic changed users sync fields.

    Import users If true, LDAP users will be imported into the Keycloak DB and synced by the configured sync policies.
    Sync Registrations Should newly created users be created within LDAP store? Priority effects which provider is chosen to sync the new user. This setting is effectively appplied only with WRITABLE edit mode.
    Batch size Count of LDAP users to be imported from LDAP to Keycloak within a single transaction
    Periodic full sync Whether periodic full synchronization of LDAP users to Keycloak should be enabled or not.
    Periodic changed users sync Whether periodic synchronization of changed or newly created LDAP users to Keycloak should be enabled or not
  10. Enable the Allow Kerberos authentication, Use Kerberos for password authention fields.
    Allow Kerberos authentication Enable/disable HTTP authentication of users with SPNEGO/Kerberos tokens. The data about authenticated users will be provisioned from this LDAP server.
    Use Kerberos for password authentication User Kerberos login module for authenticating username/password against Kerberos server instead of authenticating against LDAP server with Directory Service API
  11. Set the Cache policy.
    Cache policy Cache Policy for this storage provider. 'DEFAULT' is whatever the default settings are for the global cache. 'EVICT_DAILY' is a time of day every day that the cache will be invalidated. 'EVICT_WEEKLY' is a day of the week and time the cache will be invalidated. 'MAX_LIFESPAN' is the time in milliseconds that will be the lifespan of a cache entry.
  12. Enable the fields Enable the LDAPv3 password modify extended operation, Validate password policy, Trust Email fields.
    Enable the LDAPv3 password modify extended operation Use the LDAPv3 Password Modify Extended Operation (RFC-3062). The password modify extended operation usually requires that LDAP user already has password in the LDAP server. So when this is used with 'Sync Registrations', it can be good to add also 'Hardcoded LDAP attribute mapper' with randomly generated initial password.
    Validate password policy Determines if Keycloak should validate the password with the realm password policy before updating it.
    Trust email If enabled, email provided by this provider is not verified even if verification is enabled for the realm.

Result

The imported user details should be visible from the Policy Center > Departments.