This article explains how to configure the import and synchronization of users and groups from a corporate LDAP directory into SMARTFENSE. It includes connecting to the server, attribute mapping, and synchronizing active or inactive status.
The configuration is available under Users and Groups > Import and Synchronization > From LDAP Directory.
Prerequisites
- Access to the corporate LDAP server with a service user that has read permissions on the directory.
- Knowledge of the LDAP schema used (attributes for email, first name, last name, groups, etc.).
- Administrator access to the SMARTFENSE instance.
The service user only needs read permissions on the directory.
Connecting to the LDAP Server
- Enter the LDAP server address in the Host field. You can use an IP address or a domain name. Example:
ldap.example.com. - Select the Connection Type:
- LDAP: unencrypted connection. Default port 389.
- LDAPS: SSL/TLS encrypted connection. Default port 636.
- LDAP + StartTLS: starts unencrypted and then negotiates TLS. Default port 389.
- The Port field is auto-filled based on the connection type. Modify it only if your server uses a different port.
- Enter the Bind DN (Distinguished Name) of the service user that will authenticate to the directory. Example:
cn=admin,dc=example,dc=com. - Enter the service user's password in the Bind Password field.
- Enter the Base DN that defines the starting point for the user search. Example:
ou=people,dc=example,dc=com. - Optionally, modify the LDAP Filter to restrict the search. The default filter is:
(objectClass=inetOrgPerson)
More specific possible filters:
(&(objectClass=inetOrgPerson)(mail=*))
The previous example imports only users with a defined email.
8. The Timeout field defines the maximum wait time in seconds. The default value is 30 seconds. 9. Click Check Connection to validate connectivity, authentication, and search.
Attribute Mapping
Each mapping field must exactly match the attribute name in your LDAP schema. The most common default values are:
| Field in SMARTFENSE | Default LDAP Attribute | Required | Notes |
|---|---|---|---|
mail | Yes | Unique user identifier. | |
| First Name | givenName | Yes | |
| Last Name | sn | Yes | |
| Full Name | displayName | No | |
| Groups | ou | No | |
| Phone | telephoneNumber | No | |
| Employee ID | employeeNumber | No |
Users without a valid email value in the LDAP directory will show an error during the import process.
Synchronization of Active or Inactive Status
The Active/Inactive Status section synchronizes user status from LDAP to SMARTFENSE.
- Status Attribute: name of the LDAP attribute containing the account status.
- Value Indicating Inactive: value representing a locked or inactive account.
If both fields are empty, all users will be imported as active. If the attribute is configured but a user does not have it in the directory, they will be considered active. Users whose attribute value matches the configured value will be marked as inactive.
馃挕 Best Practices
- Use LDAPS or LDAP + StartTLS in production to protect credentials and directory data.
- Keep the service user with read-only permissions on the directory.
- Document the Bind DN and your password rotation policy to avoid future interruptions.
- Validate the LDAP filter with an external tool before loading it into SMARTFENSE, especially if combining conditions.
- Run Check Connection whenever there is a change in host, port, credentials, or filter.