This topic describes how to authenticate Carbon Black EDR by using Active Directory (AD).

Note: After you enable AD integration, it becomes the only authentication method for logging into the Carbon Black EDR console — there is no fallback to Carbon Black EDR direct login except for deactivating AD integration. In the case of an existing Carbon Black EDR user name that now logs in through AD, previous user membership and permissions are ignored in favor of AD mapping.


  1. On the Carbon Black EDR server, go to /etc/cb/sso and perform the following steps:
    1. Copy /etc/cb/sso/sso.conf.example.ldap to /etc/cb/sso/ldap.conf.
    2. Copy /etc/cb/sso/ to /etc/cb/sso/
    Note: Changes to are discussed in Map AD Permissions.
  2. In the /etc/cb/sso/ldap.conf file:
    # What type of LDAP server are you using, valid options are OpenLDAP, FreeIPA and AD
    ldap_provider = AD
    # The URL and port for your LDAP server that will be used by CB EDR
    ldap_host = ldap://
    # The Base DN for your organization
    ldap_dn_base = dc=example,dc=org
    # (AD only) The AD domain that users will be logging into
    ldap_ad_domain = TEST
    # (OpenLDAP, FreeIPA only) Specify what org your users belong to
    ldap_user_org = ou=Users
    # (OpenLDAP, FreeIPA only) Specify group members attribute
    ldap_group_members_attr = member
    # (OpenLDAP, FreeIPA only) Specify user identifier attribute
    ldap_user_name_attr = cn
    # The path to the attribute mapper you are using with your LDAP setup
    attribute_mapper = /etc/cb/sso/
    # LDAP TLS only, specify certificate required to setup LDAP TLS connection
    # ldap_cert_file = /etc/pki/ca-trust/source/anchors/ipa.crt
    1. Set ldap_provider to specify whether you are connecting to AD or OpenLDAP.
    2. Specify ldap_host for the AD server and port that Carbon Black EDR will use to login. Carbon Black EDR supports LDAP, LDAPS, and LDAP + TLS.
    3. Set the ldap_dn_base specify base distinguished name (DN) for your organization.
    4. For AD only, set ldap_ad_domain to identify the AD domain that users log into.
    5. For OpenLDAP and FreeIPA only, set ldap_user_org to specify the organization to which your users belong
    6. For OpenLDAP and FreeIPA only, set ldap_group_members_attr to specify group members attribute.
    7. For OpenLDAP and FreeIPA only, set ldap_user_name_attr to specify a user identifier attribute.
    8. Make sure the attribute_mapper field has the full path to the Python attribute mapper file.
    9. TLS-specific: Specify the ldap_cert_file certificate that LDAPS and LDAP + TLS connectivity requires.
    Caution: The syntax of this configuration file must fully conform to the JSON data-interchange format. Failure to do so can create an invalid configuration file, which prevents the cb-coreservices services from launching properly. When changes are made to this file and cb-enterprise is restarted, check / var/log/cb/coreservices/debug.log to make sure there are no errors.
  3. Open the /etc/cb/cb.conf file and edit the LDAPConfig property so that it contains the full path to the LDAP configuration file that you created in the previous steps (for example, etc/cb/sso/ldap.conf). This single property defines whether the Carbon Black EDR server starts in Carbon Black EDR or LDAP authentication mode.
    Note: To deactivate AD integration, comment out the LDAPConfig property in /etc/cb/cb.conf.
  4. Restart the Carbon Black EDR server by issuing the following command:
    sudo /usr/share/cb/cbservice cb-enterprise restart