You can configure an LDAP sync connector to import users and user groups from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server. In the configuration, you specify whether to authenticate the imported users through the LDAP server. Alternatively, the users can authenticate through:
- An AD server for the domain to which the Tanium Server is joined.
- The local accounts on the Tanium Server host computer (Windows). Deployments with the Tanium Appliance can use the local authentication service or a pluggable authentication module (PAM); consult your technical account manager (TAM) for details.
User and user group updates are automatically synchronized from the LDAP server every five minutes. At each synchronization, users and user groups are added or deleted, and group members might be added or deleted.
Only users assigned the Administrator reserved role can see and use the Configuration pages, including the LDAP Sync configuration page.
- The Tanium Server initiates a connection to the back-end LDAP server. The standard port for LDAP is 389 (3268 for an AD global catalog). The standard port for LDAPS is 636 (3269 for an AD global catalog). In the LDAP sync configuration, you can specify whatever port your LDAP server listens on for its inbound LDAP traffic. Network security must be configured to allow this traffic.
- You must know the base distinguished name (DN), IDs, and filter expressions for the users and user groups you want to import.
- The LDAP server must allow the LDAP sync connector user to query the LDAP server using the configured filter expression(s).
- Go to Configuration > Authentication > LDAP Sync.
- Click Add Server to display the Server Configuration page.
- Complete the settings using the guidance provided in Table 1.
- Click Show Preview to Continue and review the users and groups to be imported.
- Save the configuration.
You can clone an LDAP sync configuration, change the user domain, base DN, and other LDAP query fields, and then save the configuration. Configuration cloning enables you to quickly add connections for multiple domains or multiple groups (The LDAP query does not return subgroups, so you must create sync connection configurations for each subgroup you want to import.)
- Go to Configuration > Authentication > LDAP Sync.
- Click Copy .
When you delete an LDAP sync configuration:
- Users and user groups are no longer updated from the LDAP server.
- Users and user groups that had been imported are deleted from Tanium at the next sync time (within 5 minutes).
Disabling a configuration and deleting a configuration have the same effect. Delete the configuration when you no longer want that information saved in the Tanium Server. For details about disabling a configuration, see Configuration.
You can export the configuration to an XML file and import a signed XML file into the same or different Tanium Server. You might do this, for example, to share the connection information when troubleshooting the LDAP query with your LDAP administrator.
- From any Content or Permissions page, click Export to XML in the top right of the Tanium Console.
- Select LDAP Synchronization Connectors and click Export.
- Enter a File Name or accept the default, and then click OK. The Tanium Server exports the XML file to the Downloads folder on the system you use to access the Tanium Console.
- Use KeyUtility.exe to sign the XML configuration file before you import it. As a one-time action, you must also copy the associated public key to the correct folder. For the procedures, see Signing content XML files.
- From any Content or Permissions page, click Import from XML at the top right of the Tanium Console.
- Click Choose File, find and select the configuration file, and click Open.
- Click Import. If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.
- Select resolutions for any conflicts. For guidance, see Conflicts and Best practices or consult your TAM.
- Click Import again, and click Close when the import finishes.
The Tanium Server synchronizes (imports) users and user groups from the external LDAP server every five minutes. Each LDAP sync connector populates a set of configuration objects. It is therefore possible to create multiple configuration objects for a single real user. For example, if you use the Tanium Console to manually create a user john.doe, and also configure two LDAP sync connectors to import from two LDAP servers, the Tanium Server will have three user configurations for john.doe.
Consequently, it is important to understand the ramifications when deleting users in different ways:
- If you delete a user configuration that was created manually, but the user still matches the LDAP sync filter, a configuration for the user remains in the Tanium Console.
- If you use the Tanium Console to delete a user imported through LDAP, that user remains deleted after the next synchronization.
- If you delete a user from the back-end LDAP server configuration, the user is marked as locked out upon next import into the Tanium Console. The user cannot log in, but the user account is not deleted automatically. Any scheduled questions and scheduled actions that the user has configured continue to run. This gives other Tanium administrators the opportunity to take stock of situation and re-create the scheduled questions and actions under a different user account if necessary.
The following are best practices to avoid unexpected issues:
- Plan to do some work on the back-end LDAP server to create LDAP user groups that correspond with the Tanium user groups you want to create and the users you want to associate with Tanium access.
- Plan to manage Tanium access by managing the back-end LDAP server configuration, not the front-end Tanium Console configuration. For example, the best way to on-board and off-board users is by adding them to a group that is imported or deleting them from a group that is imported.
- Be sure to control access to the back-end LDAP server configuration so that LDAP administrators who are not familiar with your Tanium deployment cannot make changes that affect it.
- Maintain at least one user in the Users configuration that is not populated by the LDAP sync connector. This configuration should be assigned the Administrator reserved role and can be used to log into the Tanium Console and re-configure the LDAP sync connector in case it fails. Some organizations provision multiple admin users outside of the LDAP sync connector for this reason. When configuring the LDAP sync connector, you can configure a users filter to prevent synchronization for an account.
- Be careful when you delete user configurations. As you transition from manually-created users to imported users, you probably want to clean up the apparent duplicates. However, the john.doe configuration that was created manually and the john.doe configuration that was imported have different object IDs. For example, let's say the first john.doe has object ID 2, and the second john.doe has object ID 3. The Tanium Console objects—such as scheduled actions, saved questions, Tanium Connect objects, solution plugins, or solution module services—that were created by the john.doe user that has object ID 2 do not also belong to the user with object ID 3. If you delete the john.doe configuration that has ID 2, you must be ready to re-create the configuration objects that run under that ID. See the user management topic for details.
Last updated: 2/6/2019 2:40 PM | Feedback