Nailing the Security Audit with RRCU

ConductorOne docs

Set up an Active Directory connector

ConductorOne provides identity governance and just-in-time provisioning for Active Directory. Integrate your on-prem Active Directory server with ConductorOne to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access.

Availability

The Active Directory connector supports Windows and Linux.

Capabilities

  • Sync user identities from Active Directory to ConductorOne

  • Resources supported:

    • Groups
  • Provisioning supported:

    • Groups

Integrate your Active Directory instance

Once baton-active-directory is installed and the integration is set up, Baton runs as a service in your environment. The service maintains contact with ConductorOne, syncs and uploads data at regular intervals, and passes that data to the ConductorOne UI, where you and your colleagues can use it to run access reviews and manage access requests for the application.

Connector modes

The Active Directory connector can be run in either LDAP mode (default) or WinLDAP mode.

Both modes can sync and provision the same resources, but WinLDAP mode supports additional authentication methods. LDAP mode uses a Golang LDAP library to connect to the Active Directory server. WinLDAP mode uses Windows system calls. If LDAP mode does not connect (usually because your AD server requires more secure authentication methods), then try running the connector with --mode=winldap.

Step 1: Set up the Active Directory connector in ConductorOne

This task requires the Connector Administrator or Super Administrator role in ConductorOne.

  1. In ConductorOne, click Connectors > Add connector.

  2. Search for Baton and click Add.

  3. Choose whether to add the Active Directory connector to an existing application in ConductorOne (and select the app of your choice) or to create a new application.

    Once configuration is complete, the new application’s name will automatically change from Baton to Active Directory.

  4. Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.

  5. Click Next.

    If you selected someone else as the connector owner, that person will be notified to take over this process from this point.

  6. Find the Settings area of the page and click Edit.

  7. Click Rotate to generate a new set of credentials. Carefully copy the client ID and secret. You’ll use them in Step 2.

Step 2: Install baton-active-directory

  1. Contact ConductorOne’s support team to download the latest version of the connector.

  2. Install and set up the connector by running:

    baton-active-directory.exe setup
    

    To use ConductorOne to provision Active Directory groups: Be sure to include the --provisioning flag on the install command.

    If you are not using ConductorOne for LDAP provisioning, do not include this flag when you run the install command.

You’ll be prompted to provide:

  • The base DN to search from. Example: “DC=baton,DC=example,DC=com”

  • The fully qualified Windows domain to connect with. Example: “baton.example.com”

  • The client ID you generated in Step 1.

  • The client secret you generated in Step 1.

Run baton-active-directory --help to see the list of flags to be used when passing your credentials to the connector.

The config file is written to C:\ProgramData\ConductorOne\baton-active-directory\config.yaml, and is formed like the following:

base-dn: dc=baton-dev,dc=d2,dc=ductone,dc=com
domain: baton-dev.d2.ductone.com
mode: winldap
client-id: clean-ogre-26349@insulator.conductor.one/ccc
client-secret: secret-token:conductorone.com:v1:...

The log file is written to C:\ProgramData\ConductorOne\baton-active-directory\baton.log.

Step 3: Manage the baton-active-directory Windows service

  1. Once you have provided this information, a new Windows service named baton-active-directory will be created in the Stopped state. You can now use the .\baton-active-directory command to manage the service.

    • To start the service, run .\baton-active-directory start.

    • To stop the service, run .\baton-active-directory stop.

    • To check the status of the service, run .\baton-active-directory status.

    • To remove the service, run .\baton-active-directory remove.

  2. The connector syncs current data, uploads it to ConductorOne, and prints a Task complete! message when finished.

  3. Check that the connector data uploaded correctly. In ConductorOne, click Applications. On the Managed apps tab, locate and click the name of the application you added the Active Directory connector to. Active Directory data should be found on the Entitlements and Accounts tabs.