Configuring LDAP server integration

Kaspersky Container Security lets you connect to servers of external

Connection to an external directory service over the LDAP protocol enables you to perform the following tasks:

• Configure user accounts to take into account data from an external directory service for working with Kaspersky Container Security.
• Correlate user roles in Kaspersky Container Security to groups of users from Active Directory. Users in these groups will be able to use their domain account credentials to log in to the solution web interface and access application functionality based on their assigned role.

  We recommended that you create these user groups in Active Directory in advance to allow them to complete authorization using their domain accounts in the Kaspersky Container Security web interface.
  An email address must be indicated for user accounts in Active Directory.

Creating LDAP server integration

To create an integration with an LDAP server:

1. In the Administration → Integrations → LDAP section, click the Connect server button.

   The LDAP server settings window opens.

2. Specify the following mandatory settings in the form fields:
   • Web address (URL) of your company's LDAP server.

     The web address of the LDAP server is specified as follows: ldap://<host>:<port>. For example: ldap://ldap.example.com:389.

   • Base distinguished name—in the context of an LDAP name, this is the name that uniquely identifies and describes a record of the LDAP directory server.

     For example, the base distinguished name for example.com is dc=example, dc=com.

   • User authorization filter—in the context of an LDAP search, this is a filter that generates a user authorization request and indicates where to start searching for a user in the Active Directory catalog tree.

     The filter for user authorization must be specified as follows: sAMAccountName =% s, ou = Accounts.

   • Group filter for defining the group search settings in Active Directory.
   • User filter for defining the user search settings in Active Directory.
3. Under Base schema, specify the values of the following attributes and classes of objects:
   • Object class is the type of object to search for.
   • Organizational unit class is the LDAP object class that identifies the object as a container object within the domain.
   • User class is the LDAP object class that identifies the object as a user.
   • Organization unit name is the attribute of a group that identifies its name.
   • Group class is the class that identifies the LDAP object as a group.
   • Distinguished name attribute is the unique distinguishing name of the record.
4. Under User settings, specify the values of the following object attributes:
   • User first name attribute.
   • User lastname attribute.
   • Group name attribute.
   • User username attribute.

     When authorizing with a user account, the username may need to be specified together with the realm in the following format: <username @ realm>, for example, user@example.com.

   • User password.
   • Group member.
   • User email attribute.
   • User member of.
5. Click the Save button above the form for LDAP server integration data.
6. To verify that the values were filled in correctly, click the Test connection button above the form for LDAP server integration data.

   Kaspersky Container Security will display a notification informing you of the successful connection to the LDAP server or a failure to establish the connection.

Example of completed fields when configuring LDAP server integration

If the LDAP server certificate changes, reconfigure the integration.

You can use the configured integration when creating and assigning user roles.

Viewing and editing information about LDAP server integration

To view the LDAP server connection:

Go to the Administration → Integrations → LDAP section.

Kaspersky Container Security displays the web address of the connected LDAP server above the Test connection, Change settings, and Delete integration buttons.

To change the settings for the connection to the LDAP server:

In the Administration → Integrations → LDAP section, click the Edit settings button.

Kaspersky Container Security opens the page containing the form for LDAP server integration data.

Testing connection with LDAP server

To test connection with the LDAP server:

1. Go to the Administration → Integrations → LDAP section.
2. Do one of the following:
   • If the integration with the LDAP server is created, click the Test connection button.
   • If you are creating an integration with an LDAP server, click the Test connection button above the form for LDAP server integration data.

Kaspersky Container Security will display a notification informing you of the connection to the LDAP server or a failure to establish the connection.

Page top

Gaining access to Active Directory group

After the integration with the LDAP server is configured, you can specify an Active Directory group for each Kaspersky Container Security role. After authorizing their account credentials, the users from this group gain access to solution functionality based on their defined roles.