This topic describes how to authenticate Carbon Black EDR by using Active Directory (AD).

Note: After you enable AD integration, it becomes the only authentication method for logging into the Carbon Black EDR console — there is no fallback to Carbon Black EDR direct login except for deactivating AD integration. In the case of an existing Carbon Black EDR user name that now logs in through AD, previous user membership and permissions are ignored in favor of AD mapping.

Procedure

  1. On the Carbon Black EDR server, go to /etc/cb/sso and perform the following steps:
    1. Copy /etc/cb/sso/sso.conf.example.ldap to /etc/cb/sso/ldap.conf.
    2. Copy /etc/cb/sso/attr_map.py.example.ldap to /etc/cb/sso/attr_map.ldap.py.
    Note: Changes to attr_map.ldap.py are discussed in Map AD Permissions.
  2. In the /etc/cb/sso/ldap.conf file:
    [ldap]
    # What type of LDAP server are you using, valid options are OpenLDAP and AD
    ldap_provider = AD
    # The URL and port for your LDAP server that will be used by CB EDR
    ldap_host = ldap://example.org:389
    # The Base DN for your organization
    ldap_dn_base = dc=example,dc=org
    # (AD only) The AD domain that users will be logging int
    ldap_ad_domain = TEST
    # (OpenLDAP only) Specify what org your users belong to
    ldap_user_org = ou=Users
    # The path to the attribute mapper you are using with your LDAP setup
    attribute_mapper = /etc/cb/sso/attr_map.ldap.py
    # TLS only, specify certificate required to setup LDAP TLS connection
    # ldap_cert_file = /etc/pki/ca-trust/source/anchors/ipa.crt
    
    1. Set ldap_provider to specify whether you are connecting to AD or OpenLDAP.
    2. Specify ldap_host for the AD server and port that Carbon Black EDR will use to login. Carbon Black EDR supports LDAP, LDAPS, and LDAP + TLS.
    3. Set the ldap_dn_base specify base distinguished name (DN) for your organization.
    4. Make sure the attribute_mapper field has the full path to the Python attribute mapper file.
    5. AD Only: Specify the ldap_ad_domain AD domain that users will log into.
    6. OpenLDAP Only: Set ldap_user_org to specify the organization to which your users belong.
    7. TLS-specific: Specify the ldap_cert_file certificate that LDAPS and LDAP + TLS connectivity requires.
    Caution: The syntax of this configuration file must fully conform to the JSON data-interchange format. Failure to do so can create an invalid configuration file, which prevents the cb-coreservices services from launching properly. When changes are made to this file and cb-enterprise is restarted, check / var/log/cb/coreservices/debug.log to make sure there are no errors.
  3. Open the /etc/cb/cb.conf file and edit the LDAPConfig property so that it contains the full path to the LDAP configuration file that you created in the previous steps (for example, etc/cb/sso/ldap.conf). This single property defines whether the Carbon Black EDR server starts in Carbon Black EDR or LDAP authentication mode.
    Note: To deactivate AD integration, comment out the LDAPConfig property in /etc/cb/cb.conf.
  4. Restart the Carbon Black EDR server by issuing the following command:
    sudo /usr/share/cb/cbservice cb-enterprise restart