Inside DigitalOcean’s SOX Compliance Playbook

ConductorOne docs

Set up an Active Directory connector

ConductorOne provides identity governance and just-in-time provisioning for Active Directory. Integrate your on-prem Active Directory server with ConductorOne to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access.

Availability

The Active Directory connector supports Windows and Linux.

Capabilities

ResourceSyncProvision
Accounts
Groups

Available hosting methods

Choose the hosting method that best suits your needs:

MethodAvailabilityNotes
Cloud-hostedA built-in, no-code connector hosted by ConductorOne.
Self-hostedThe Active Directory connector, hosted and run in your own environment. Contact ConductorOne’s support team to download the latest version of the connector.

Integrate your Active Directory instance

Once baton-active-directory is installed and the integration is set up, Baton runs as a service in your environment. The service maintains contact with ConductorOne, syncs and uploads data at regular intervals, and passes that data to the ConductorOne UI, where you and your colleagues can use it to run access reviews and manage access requests for the application.

Connector modes

The Active Directory connector can be run in either LDAP mode (default) or WinLDAP mode.

Both modes can sync and provision the same resources, but WinLDAP mode supports additional authentication methods. LDAP mode uses a Golang LDAP library to connect to the Active Directory server. WinLDAP mode uses Windows system calls. If LDAP mode does not connect (usually because your AD server requires more secure authentication methods), then try running the connector with --mode=winldap.

To complete this task, you’ll need:

  • The Connector Administrator or Super Administrator role in ConductorOne
  • Access to the set of Active Directory credentials generated by following the instructions above
  1. In ConductorOne, click Connectors > Add connector.

  2. Search for Active Directory and click Add.

  3. Choose how to set up the new Active Directory connector:

    • Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)

    • Add the connector to a managed app (select from the list of existing managed apps)

    • Create a new managed app

  4. Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.

    If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.

  5. Click Next.

  6. Find the Settings area of the page and click Edit.

  1. Click Save.

  2. The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your Active Directory connector is now pulling access data into ConductorOne.

Set up an Active Directory self-hosted connector

This task requires the Connector Administrator or Super Administrator role in ConductorOne.

Step 1: Configure the Active Directory connector

  1. In ConductorOne, click Connectors > Add connector.

  2. Search for Baton and click Add.

  3. Choose whether to add the Active Directory connector to an existing application in ConductorOne (and select the app of your choice) or to create a new application.

    Once configuration is complete, the new application’s name will automatically change from Baton to Active Directory.

  4. Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.

  5. Click Next.

    If you selected someone else as the connector owner, that person will be notified to take over this process from this point.

  6. Find the Settings area of the page and click Edit.

  7. Click Rotate to generate a new set of credentials. Carefully copy the client ID and secret. You’ll use them in Step 2.

Step 2: Install baton-active-directory

  1. Contact ConductorOne’s support team to download the latest version of the connector.

  2. Install and set up the connector by running:

    baton-active-directory.exe setup
    

    To use ConductorOne to provision Active Directory groups: Be sure to include the --provisioning flag on the install command.

    If you are not using ConductorOne for LDAP provisioning, do not include this flag when you run the install command.

You’ll be prompted to provide:

  • The base DN to search from. Example: “DC=baton,DC=example,DC=com”

  • The fully qualified Windows domain to connect with. Example: “baton.example.com”

  • The client ID you generated in Step 1.

  • The client secret you generated in Step 1.

Run baton-active-directory --help to see the list of flags to be used when passing your credentials to the connector.

The config file is written to C:\ProgramData\ConductorOne\baton-active-directory\config.yaml, and is formed like the following:

base-dn: dc=baton-dev,dc=d2,dc=ductone,dc=com
domain: baton-dev.d2.ductone.com
mode: winldap
client-id: clean-ogre-26349@insulator.conductor.one/ccc
client-secret: secret-token:conductorone.com:v1:...

The log file is written to C:\ProgramData\ConductorOne\baton-active-directory\baton.log.

Step 3: Manage the baton-active-directory Windows service

  1. Once you have provided this information, a new Windows service named baton-active-directory will be created in the Stopped state. You can now use the .\baton-active-directory command to manage the service.

    • To start the service, run .\baton-active-directory start.

    • To stop the service, run .\baton-active-directory stop.

    • To check the status of the service, run .\baton-active-directory status.

    • To remove the service, run .\baton-active-directory remove.

  2. The connector syncs current data, uploads it to ConductorOne, and prints a Task complete! message when finished.

  3. Check that the connector data uploaded correctly. In ConductorOne, click Applications. On the Managed apps tab, locate and click the name of the application you added the Active Directory connector to. Active Directory data should be found on the Entitlements and Accounts tabs.