By default, UpGuard Core uses a local authentication mechanism based on an email address and password. Alternatively, you can use an existing LDAP server (usually Active Directory) to authenticate users.

Overview

LDAP authentication replaces the default email-based authentication mechanism for the UpGuard UI. Any account administrator can confirgure LDAP settings before an UpGuard employee enables LDAP authentication.

If you are interested in integrating with your Single Sign On Identity Provider, please refer to our article on Single Sign On.

Configuring

What Do I Need?

Before configuring LDAP, you will need the following:

  • The distinguished name (DN) of an OU that contains your user accounts
  • The distinguished name (DN) of a CN (security group) that contains users that will be able to login to UpGuard
  • The distinguished name (DN) and password of a user that can query LDAP (referred to as the bind user)

Setting up LDAP

The LDAP settings are found in the Appliance Settings page, which is available by clicking your organization name in the top right corner of the UpGuard UI and selecting Appliance Settings.

w500

Field Description
LDAP Host The hostname of your LDAP server
LDAP Port The port to connect over
SSL On? Flag determining if SSL will be used for the connection
LDAP Attribute The unique identifier for users. Use “sAMAccountName” for Active Directory
Users Base DN The lowest level OU containing all user records
Users Group DN The CN of the specific group you have set up to grant access to UpGuard
Bind Account DN The user UpGuard will use to query LDAP
Bind Account Password The password for the bind user

Enabling LDAP Authentication

Enabling LDAP must be done by an UpGuard employee. Please contact your Account Manager or UpGuard Support to schedule an appointment.

Things to Note

  • With LDAP integration set up, access to your UpGuard account will be determined by membership of the group specified in the above form (Users Group DN).
  • Users in this group will have Member access by default. Administrators can change this from the Users page.
  • Behind the scenes, UpGuard is still using the email address to drive user roles, so the LDAP user must have an email address associated with it.

Emergency Bypass User

Although you may want all your users to authenticate against an LDAP/AD server, there may be special occasions you still need to access your UpGuard appliance when the auth server is down or broken (especially if you monitor the health of your auth server with UpGuard Core).

UpGuard Core can be enabled to elect one or more users as LDAP Emergency Bypass Users which are user accounts that are allowed to log into the appliance with an email address and password.

Enabling this feature requires assistance from an UpGuard Engineer, so please contact UpGuard Support or your Account Manager to schedule an appointment.

Troubleshooting

LDAP Test Fails

There should be an error message shown if the LDAP test fails. For specific errors:

  • Timeout: This is usually a firewall blocking the LDAP port

UpGuard Login Fails via LDAP

Verify that your bind user works outside of UpGuard. Using a tool like ldp.exe on a Windows AD Controller, verify that you can bind to the Bind Account DN from your UpGuard settings.

Tags: appliance