LDAP and Active Directory Configuration

LDAP and Active Directory Configuration

LDAP integration is commonly used for secondary user authentication.

When deployed in a workgroup installation scenario, ITM On-Prem (ObserveIT) Console Users are created locally in the ITM On-Prem Web Console. You can manually create a Console User for each user that requires access to the ITM On-Prem Web Console. In addition, when using ObserveIT’s Identification Services, users logging on to the monitored servers or workstations with generic-type user accounts, such as the built-in Administrator, will be forced to provide secondary credentials that will be used to identify them. In this scenario, the ITM On-Prem (ObserveIT) auditor will know who really used the Administrator account. Similar to Console Users, when deployed in a workgroup installation scenario, local ITM On-Prem (ObserveIT) users must be created in the Web Console, and these credentials must be provided to the users logging on to the monitored computers, in order for them to successfully identify themselves with the ITM On-Prem (ObserveIT) Identification Services.

By configuring an LDAP connection between the Application and Web Console components and an external LDAP server (such as, a Microsoft-based Active Directory Domain Controller), you can utilize user/group accounts from within an Active Directory domain, obtain access to the ITM On-Prem Web Console, and provide users with credentials for ITM On-Prem (ObserveIT) Identification Services. Secured SSL communication to Active Directory via LDAP (LDAPS) can be configured to encrypt all communication via Active Directory.

The ITM On-Prem Web Console Server must be able to communicate through LDAP traffic with at least one of the domain controllers in the target Active Directory domain. LDAP traffic uses TCP port 389 in most cases. If a Firewall exists between the ITM On-Prem Web Console Server and the domain controller, you need to configure the Firewall to properly allow LDAP traffic to and from that domain controller. Consult with your Firewall vendor or manual to learn how to properly configure your Firewall.

RODC support is available for environments that allow read-only access to Active Directory domain controllers.

From the Configuration > User Management > LDAP Settings page of the Web Console, you can configure automatic and manual LDAP targets, and change the default LDAP email field name, if required.

ITM On-Prem (ObserveIT) also supports secured SSL communication to Active Directory via LDAP. When LDAPS is configured, all communication via Active Directory will be encrypted. An indication will be displayed in the LDAP Settings page (as shown in the above screenshot).

After an LDAP connection is properly established, the domain appears in two locations:

• Configuration > Console Users page, where you can create and configure additional ITM On-Prem (ObserveIT) Console Users that can administer ObserveIT, or that can be used to view recorded sessions.

• Configuration > Identification page, where you can configure users that are required to identify themselves with a secondary ITM On-Prem (ObserveIT) logon whenever they log on to any ObserveIT-monitored server.

The following topics describe how to:

• Enable Secured LDAP

• Add Domains to Automatic LDAP Targets

• Add Manual LDAP Targets

• Delete LDAP Targets

• Change the Default LDAP Email Field Name

See Also

• Active Directory Best Practices

• Configuring Active Directory Groups

• Configuring Active Directory Identification Targets

• Configuring System Settings