Other versions

Using LDAP

You can configure an LDAP sync connector to import users and user groups from a Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) server.

In the configuration, you specify whether the users that are imported via the sync connector are authenticated against the LDAP server. If you do not want to use the back-end LDAP server as the authentication source, the users can still be imported from LDAP but authenticated against an AD server for the domain to which the Tanium Server is joined or the local accounts on the Tanium Server host computer (Windows). Deployments with the Tanium Appliance can use the local authentication service or a pluggable authentication module (PAM). Consult your technical account manager (TAM) for details.

Role requirements

Only users assigned the Administrator reserved role can see and use the Configuration pages, including the LDAP Sync configuration page.

Before you begin

  • The Tanium Server initiates a connection to the back-end LDAP server. The standard port for LDAP is 389. The standard port for LDAPS is 636. In the LDAP sync configuration, you can specify whatever port your LDAP server listens on for its inbound LDAP traffic. Network security must be configured to allow this traffic.
  • You must know the base distinguished name (DN), IDs, and filter expressions for the users and user groups you want to import.
  • The LDAP server must allow the LDAP sync connector user to query the LDAP server using the configured filter expression(s).

Configure the LDAP server connection

  1. Go to Configuration > Authentication > LDAP Sync.
  2. Click Add Server to display the Server Configuration page.
  3. Complete the settings using the guidance provided in Table 1.
  4. Click Show Preview to Continue and review the users and groups to be imported.
  5. Save the configuration.
Table 1:   LDAP Sync configuration
Settings Guidelines
Configuration Enable/Disable the configuration. If the configuration is enabled, synchronization occurs every 5 minutes. If the configuration is disabled, the users and user groups that were previously imported are deleted at the next sync time (within 5 minutes). If the configuration is subsequently re-enabled, the users and user groups are re-added, with the same object ID that they were initially assigned.
Name Configuration name.
Host Fully-qualified domain name (FQDN) or IP address for the LDAP server.
Port Port number. Specify whatever port your LDAP server listens on for its inbound LDAP traffic.

The standard port for LDAP is 389. This is used for unencrypted connections, connections that use StartTLS, and Active Directory connections that use sign and encrypt options.

The standard port for LDAPS is 636.

Encryption
  • None. Do not use in production.
  • Sign and encrypt. The LDAP connector turns on the LDAP_OPT_SIGN and LDAP_OPT_ENCRYPT session options. The session is encrypted, but it does not use TLS. Use this option only for Tanium Server on Windows and the external LDAP server is an AD server.
  • StartTLS. The LDAP connector calls ldap_start_tls_s to set up a TLS connection. You can use this option with Tanium Server on Windows or the Tanium Appliance.
  • LDAPS. The LDAP connector initiates an SSL connection to the LDAPS server.
NTLM Uses NTLM for the connection with the LDAP server. Enabled by default. Recommended when the Tanium Server is installed on a Windows Server and the connection is to an Active Directory server. If you use NTLM, the Tanium Server service account is used, and you do not need to configure a user name and password.

The LDAP server must allow this account to query with the filter expression(s) configured for the LDAP sync connector.

LDAP User Name / Password If you cannot use NTLM, specify an LDAP server user name and password. We recommend that you provision a special account for this purpose. The account should have privileges that are sufficient to query the LDAP server but otherwise be an account with low privileges.
User Domain Example: tam.local
Base Users The base DN for users.

Example: cn=Users,dc=tam,dc=local

Note: If the Tanium Server is an Appliance (Linux), the Base User or the Base Group values cannot be the root of a domain.

Filter Users The filter for user names.

Example: objectClass=user

Tanium Appliance Note: If you create an LDAP Sync Connector for the Tanium Server local authentication service, you must use the following user filter:

(&(objectClass=person)(uidNumber>=20000))

User ID Field Example: objectGUID

Note: Case sensitive.

User Name Field Example: cn or sAMAccountName

The value imported for this field becomes the user name that users type to log into the Tanium Console. Be sure to specify the field that is suitable for this purpose and be sure to communicate the expected form to your users.

Note: Case sensitive.

Authentication
  • Use LDAP for user authentication

    Send authentication requests to the configured server. In most cases, use this option.

  • Disable LDAP user authentication

    Only synchronize the users and groups. Authentication is handled by a local authentication service. Use this option if you have implemented an authentication service on the Tanium Server host computer.

This feature was introduced in 7.1.314.2874.

Group Membership
  • Synchronize all matching users

    Synchronize against the user filter expression specified above.

  • Synchronize only users that are members of synchronized groups

    Synchronize users against the set of users belonging to the groups specified by the filter group expression below.

Base Groups The base DN for the user group. The LDAP query does not return subgroups, so you must create sync connection configurations for each subgroup you want to import.

Example: cn=Ops,ou=TaniumAdmins,dc=tam,dc=local

Note: If the Tanium Server is an Appliance (Linux), the Base User or the Base Group values cannot be the root of a domain.

Filter Groups The filter for user groups.

Example: objectClass=group

Note: You can use the backslash (\) to escape special characters in a group name. For Windows, use one backslash (example: name=\#myGroup). For the Appliance (Linux), use two backslashes (example: name=\\#myGroup).

Group ID Field Example: objectGUID

Note: Case sensitive.

Group Name Field Example: cn

Note: Case sensitive.

Group Member Example: member

Note: Case sensitive.

Synchronize LDAP updates

Synchronization occurs automatically every 5 minutes.

When user and user group updates are synchronized from the LDAP server:

  • Users are added or deleted.
  • User groups are added or deleted and group members might be added or deleted.

Clone an LDAP sync configuration

You can clone an LDAP sync configuration, change the user domain, base DN, and other LDAP query fields, and then save the configuration. Configuration cloning enables you to quickly add connections for multiple domains or multiple groups (The LDAP query does not return subgroups, so you must create sync connection configurations for each subgroup you want to import.)

To clone a configuration, go to the LDAP Sync page and click the copy icon.

Delete an LDAP sync configuration

When you delete an LDAP sync configuration:

  • Users and user groups are no longer updated from the LDAP server.
  • Users and user groups that had been imported are deleted from Tanium at the next sync time (within 5 minutes).

Disabling a configuration and deleting a configuration have the same effect. Delete the configuration when you no longer want that information saved in the Tanium Server.

Import/export the LDAP sync configuration

You can export the configuration to an XML file and import a signed XML file into the same or different Tanium Server. You might do this, for example, to share the connection information when troubleshooting the LDAP query with your LDAP administrator.

Export

  1. From any Authoring, Content Sets, or Roles page, click the Export to XML link in the top right.
  2. In the Export Content selection box, select the LDAP item and click Export.
  3. Enter a file name or use the default and click OK.

Import

  1. From any Authoring, Content Sets, or Roles page, click the Import from XML link in the top right.
  2. Browse to and select the configuration file and click Import.

You must use KeyUtility.exe to sign XML files before you import them. You must also copy the public key for the key that signed the XML file to the Tanium Server keys folder. When you import content, the Tanium Server verifies the signature on the imported content against its store of content signing key files. See Signing content XML files.

Best practices

Users and user groups are synchronized (imported) from the external LDAP server every 5 minutes. Each connector populates a set of configuration objects. It is therefore possible to create multiple configuration objects for a single real user. For example, if a user john.doe is created manually with the Tanium Console user editor, imported from LDAP Server 1, and imported from LDAP Server 2, there will be three user configurations for john.doe.

Figure  1:  LDAP sync populating the Users and User Groups configuration

Consequently, it is important to understand the ramifications when deleting users in different ways:

  • If you delete a user configuration that was created manually, but the user still matches the LDAP sync filter, a configuration for the user remains in the Tanium Console.
  • If you delete, in the Tanium Console, a user configuration that was imported, it will be re-created upon the next synchronization.
  • If you delete a user from the back-end LDAP server configuration, the user is marked as "locked out" upon next import into the Tanium Console. The user cannot log in, but the user account is not deleted automatically. Any scheduled questions and scheduled actions that the user has configured continue to run. This gives other Tanium administrators the opportunity to take stock of situation and re-create the scheduled questions and actions under a different user account if necessary.

Tanium recommends the following practices to avoid unexpected issues:

  • Plan to do some work on the back-end LDAP server to create LDAP user groups that correspond with the Tanium user groups you want to create and the users you want to associate with Tanium access.
  • Plan to manage Tanium access by managing the back-end LDAP server configuration, not the front-end Tanium Console configuration. For example, the best way to on-board and off-board users is by adding them to a group that is imported or deleting them from a group that is imported.
  • Be sure to control access to the back-end LDAP server configuration so that LDAP administrators who are not familiar with your Tanium deployment cannot make changes that affect it.
  • Maintain at least one user in the Users configuration that is not populated by the LDAP sync connector. This configuration should be assigned the Administrator reserved role and can be used to log into the Tanium Console and re-configure the LDAP sync connector in case it fails. Some organizations provision multiple admin users outside of the LDAP sync connector for this reason.
  • Be careful when you delete user configurations. As you transition from manually-created users to imported users, you probably want to clean up the apparent duplicates. However, the john.doe configuration that was created manually and the john.doe configuration that was imported have different object IDs. For example, let's say the first john.doe has object ID 2, and the second john.doe has object ID 3. The Tanium Console objects—such as scheduled actions, saved questions, Tanium Connect objects, solution plugins, or solution module services—that were created by the john.doe user that has object ID 2 do not also belong to the user with object ID 3. If you delete the john.doe configuration that has ID 2, you must be ready to re-create the configuration objects that run under that ID. See the user management topic for details.

Last updated: 5/16/2018 1:13 PM | Feedback