This topic describes how to authenticate Carbon Black EDR by using Active Directory (AD).
Note: After you enable AD integration, it becomes the only authentication method for logging into the Carbon Black EDR console — there is no fallback to Carbon Black EDR direct login except for deactivating AD integration. In the case of an existing Carbon Black EDR user name that now logs in through AD, previous user membership and permissions are ignored in favor of AD mapping.
- On the Carbon Black EDR server, go to
/etc/cb/ssoand perform the following steps:
Note: Changes to attr_map.ldap.py are discussed in Map AD Permissions.
- Copy /etc/cb/sso/sso.conf.example.ldap to /etc/cb/sso/ldap.conf.
- Copy /etc/cb/sso/attr_map.py.example.ldap to /etc/cb/sso/attr_map.ldap.py.
- In the /etc/cb/sso/ldap.conf file:
[ldap] # What type of LDAP server are you using, valid options are OpenLDAP and AD ldap_provider = AD # The URL and port for your LDAP server that will be used by CB EDR ldap_host = ldap://example.org:389 # The Base DN for your organization ldap_dn_base = dc=example,dc=org # (AD only) The AD domain that users will be logging int ldap_ad_domain = TEST # (OpenLDAP only) Specify what org your users belong to ldap_user_org = ou=Users # The path to the attribute mapper you are using with your LDAP setup attribute_mapper = /etc/cb/sso/attr_map.ldap.py # TLS only, specify certificate required to setup LDAP TLS connection # ldap_cert_file = /etc/pki/ca-trust/source/anchors/ipa.crt
Caution: The syntax of this configuration file must fully conform to the JSON data-interchange format. Failure to do so can create an invalid configuration file, which prevents the
ldap_providerto specify whether you are connecting to AD or OpenLDAP.
ldap_hostfor the AD server and port that Carbon Black EDR will use to login. Carbon Black EDR supports LDAP, LDAPS, and LDAP + TLS.
- Set the
ldap_dn_basespecify base distinguished name (DN) for your organization.
- Make sure the
attribute_mapperfield has the full path to the Python attribute mapper file.
- AD Only: Specify the
ldap_ad_domainAD domain that users will log into.
- OpenLDAP Only: Set
ldap_user_orgto specify the organization to which your users belong.
- TLS-specific: Specify the
ldap_cert_filecertificate that LDAPS and LDAP + TLS connectivity requires.
cb-coreservicesservices from launching properly. When changes are made to this file and
cb-enterpriseis restarted, check / var/log/cb/coreservices/debug.log to make sure there are no errors.
- Open the /etc/cb/cb.conf file and edit the
LDAPConfigproperty so that it contains the full path to the LDAP configuration file that you created in the previous steps (for example, etc/cb/sso/ldap.conf). This single property defines whether the Carbon Black EDR server starts in Carbon Black EDR or LDAP authentication mode.Note: To deactivate AD integration, comment out the
LDAPConfigproperty in /etc/cb/cb.conf.
- Restart the Carbon Black EDR server by issuing the following command:
sudo /usr/share/cb/cbservice cb-enterprise restart