This topic discusses appropriate changes in /etc/cb/sso/attr_map.ldap.py. Each configurable property is accompanied with inline documentation to assist with this process.
Procedure
- Modify
team_mappings
to specify which AD group is assigned to which Carbon Black EDR team after authenticated login.- You can additionally assign enhanced permissions to a group of users. The mapping file contains examples to help you start.
- Enhanced permissions that you can assign are:
global_admin
ban_hash_execute
isolate_sensor_execute
tamper_protection_execute
uninstall_sensor_execute
livequery_execute
# Here is where you define your mappings from LDAP groups to CB EDR teams. If a user is a member of any of these # LDAP groups they will be assigned to the corresponding CB EDR team(s) and given the corresponding permission(s). team_mappings = { # Any user in this group will belong to the following teams and have the following enhanced permissions. 'ou=users,dc=example,dc=org': { 'teams': ['Analysts', 'Team1'], 'permissions': ['ban_hash_execute', ‘live_query_execute'] }, # Any user in this group will belong to the following single team and will NOT have any additional # enhanced permissions. 'ou=users_team2,ou=users,dc=example,dc=org': { 'teams': ['Team2'], 'permissions': [] }, # A single group with enhanced permissions 'team3': { 'teams': ['Team3'], 'permissions': ['global_admin'] }, }
- Modify
attribute_mappings
to map AD user attributes. These are required for authentication and auditing of users who are logged in through AD.username
first_name
last_name
email
# Here is where you define the mappings of LDAP attributes to CB EDR user attributes. The keys are the LDAP # attributes and can be modified/renamed as necessary to match your LDAP configuration. The values are the # corresponding CB EDR user attributes. All items are required. attribute_mappings = { 'sAMAccountName': 'username', 'givenName': 'first_name', 'sn': 'last_name', 'userPrincipalName': 'email' }
A new user entry is created in Carbon Black EDR the first time that a user logs in. If the user name was previously used, the previous entry is reused. However, AD mapping is used instead of previous user permissions and memberships.
- To provide enhanced permissions on a per-user basis (not AD group-based), use a custom AD attribute; for example,
cb_edr_permissions
. This multi-value attribute must be defined in the AD schema and assigned to specific users with expected values. Expected values are defined in Step 1 regardingteam_mappings
. For example:# CB EDR enhanced permissions are stored in the following LDAP attribute. This is a multi- valued attribute whose # values are CB EDR permissions. These permissions are in addition to any permissions assigned above based on a # user's group/team membership. permissions_attribute_name = "cb_edr_permissions"
Note: Modification of callback function for AD integration is not necessary. If you configure the mapping properly, then the callback functions correctly. For troubleshooting, see detailed comments in the callback function itself.