This topic discusses appropriate changes in /etc/cb/sso/attr_map.ldap.py. Each configurable property is accompanied with inline documentation to assist with this process.

Procedure

  1. Modify team_mappings to specify which AD group is assigned to which Carbon Black EDR team after authenticated login.
    • You can additionally assign enhanced permissions to a group of users. The mapping file contains examples to help you start.
    • Enhanced permissions that you can assign are:
      • global_admin
      • ban_hash_execute
      • isolate_sensor_execute
      • tamper_protection_execute
      • uninstall_sensor_execute
      • livequery_execute
    # Here is where you define your mappings from LDAP groups to CB EDR teams. If a user is a member of any of these
    # LDAP groups they will be assigned to the corresponding CB EDR team(s) and given the corresponding permission(s).
    team_mappings = {
        # Any user in this group will belong to the following teams and have the following enhanced permissions.
        'ou=users,dc=example,dc=org': {
            'teams': ['Analysts', 'Team1'],
            'permissions': ['ban_hash_execute', ‘live_query_execute']
        },
    
        # Any user in this group will belong to the following single team and will NOT have any additional
        # enhanced permissions.
        'ou=users_team2,ou=users,dc=example,dc=org': {
            'teams': ['Team2'],
            'permissions': []
        },
    
        # A single group with enhanced permissions
        'team3': {
            'teams': ['Team3'],
            'permissions': ['global_admin']
        },
    
    }
    
  2. Modify attribute_mappings to map AD user attributes. These are required for authentication and auditing of users who are logged in through AD.
    • username
    • first_name
    • last_name
    • email
    # Here is where you define the mappings of LDAP attributes to CB EDR user attributes. The keys are the LDAP
    # attributes and can be modified/renamed as necessary to match your LDAP configuration. The values are the
    # corresponding CB EDR user attributes. All items are required.
    attribute_mappings = {
        'sAMAccountName': 'username',
        'givenName': 'first_name',
        'sn': 'last_name',
        'userPrincipalName': 'email'
    }
    

    A new user entry is created in Carbon Black EDR the first time that a user logs in. If the user name was previously used, the previous entry is reused. However, AD mapping is used instead of previous user permissions and memberships.

  3. To provide enhanced permissions on a per-user basis (not AD group-based), use a custom AD attribute; for example, cb_edr_permissions. This multi-value attribute must be defined in the AD schema and assigned to specific users with expected values. Expected values are defined in Step 1 regarding team_mappings. For example:

    Current AD values set to ban_hash_execute and tamper_protection_execute

    # CB EDR enhanced permissions are stored in the following LDAP attribute. This is a multi- valued attribute whose
    # values are CB EDR permissions. These permissions are in addition to any permissions assigned above based on a
    # user's group/team membership. 
    permissions_attribute_name = "cb_edr_permissions"
    
    Note: Modification of callback function for AD integration is not necessary. If you configure the mapping properly, then the callback functions correctly. For troubleshooting, see detailed comments in the callback function itself.