Secure access of AD using Bridge in Qntrl | Qntrl | Bridge | Online Help

Active Directory(AD)

Active Directory (AD) is a service developed by Microsoft that provides a centralized way to manage all your network machines, users, and resources in one place.


Active Directory stores data as Objects, which include users, groups, applications, and devices. These objects are categorized based on their names and other attributes and they can be accessed by administrators in an organization. The objects can be organized as an independent group under an Organization Unit(OU). If your organization contains several domains, you can create organizational unit structures in each domain that are independent of the structures in other domains.
Qntrl can synchronize with Active Directory services through Bridge and can perform operations securely.

 

Use Case

If you want to add a user to the AD, you can create a job request in Qntrl and execute the job. Through Bridge, Qntrl connects to AD, adds the user, and returns a success response.

 

Prerequisite

  1. Organization Unit should be created in the AD server.
  2. While creating credentials, select Type as Active Directory and provide the User DN and Password of the AD. Click here to learn how to create a credential.
  3. Ensure AD Lightweight Directory Services is activated
  4. Learn more about AD Lightweight Directory Service.
  5. By default, LDAP requests are made only through LDAP(non SSL). If you prefer to use LDAPS(SSL), enable LDAPS port on the AD server. 
  1. If you are unable to connect with the Bridge AD server, verify your hostname and network settings. 
  2. By default, LDAP requests are made only through LDAP(non SSL). If you prefer to use LDAPS(SSL), enable LDAPS port on the AD server. 
  3. To enable LDAPS, ensure AD Lightweight Directory Services is activated. For step-by-step instructions, click here.
    For more information on AD Lightweight Directory Services, click here.

How to Enable LDAP over SSL(LDAPS)

  1. Set Up LDAPSTo facilitate SSL requests, it's essential to enable LDAP over SSL (LDAPS). Refer here to set up LDAPS on Windows Server.
  2. Obtain LDAPS CertificateOnce LDAPS is enabled, you'll receive a certificate, preferably in .pfx (password-protected) or .cer format. Copy this certificate to the machine where the bridge is installed.
  3. Modify LDAP Config FileOpen the Bridge/conf/ldap-config.properties file and locate the bridge.ldap.use.ssl=false property. Change the value from 'false' to 'true' (i.e., bridge.ldap.use.ssl=true).
  4. Specify Certificate Format:
    1. For .cer format: bridge.ldap.file.type=cer
    2. For .pfx format: bridge.ldap.file.type=pfx (default is .pfx)
  5. Specify the file path of the certificate in the property bridge.ldap.ssl.certificate.path=<PATH_TO_CERTIFICATE>.
  6. For .pfx Certificates Only:
    1. Encrypt the certificate password before adding it to the configuration by  navigating to the Bridge/bin directory and running encrypt.bat <PASSWORD>.
    2. Add the encrypted password to the configuration: bridge.ldap.ssl.certificate.password=<ENCRYPTED_PASSWORD>.
  7. Set Custom Port (Optional)By default, port 389 is used for non-SSL, and port 636 for SSL requests. To use a custom port, specify it in the property bridge.ldap.use.custom.port=<CUSTOM_PORT>.
  8. Restart BridgeOnce all configurations are completed, restart the bridge to apply the changes.


Troubleshooting

If you are unable to connect with the Bridge AD server, verify your hostname and network settings. 


AD Tasks

The tasks linked with the AD Engine module and the request data for diverse operations executed in Active Directory via Bridge, outlined in the following section.

 

Common keys in Request data,

Keys
Description
  task_details
  A JSON object that contains details of the task.
  ad_host
  Location of the AD.
  ad_dn
  Distinguished Name of AD.
  activity_name
  Name of the activity performed in AD.
  task_name
  A system-defined name for the respective modules. 'ad_task' is the task name for Active     Directory.
  credential
  A JSON object that contains the name of the AD server credential.
  name
  Name of the AD server credential.
  object_name
  Name of the object.
  object_type
  Type of the object.
  organization_unit
  Name of the OU.
  properties
  A JSON object that contains additional information related to the user.
  objectClass
  Category/type of the object.
  givenName
  Display name of the user.
  user_name
  Login name of the user in AD.
  password
  Password of the user.

Add AD User  

To add a new user to the Active Directory in a private network.

Request data  

{
	"task_name": "ad_task",	
	"task_details": {
		"ad_host": "<HOST_NAME>",
		"ad_dn": "<DN OF THE AD MACHINE>",
		"activity_name": "create_object",
		"object_name": "<OBJECT_NAME>",
		"organization_unit": "<ORGANIZATION_UNIT_NAME>",
		"object_type": "user",
		"properties": {
			"ObjectClass": "user",
			"givenName": "<DISPLAY NAME OF THE USER>"
		}
	},
	"credential": {
		"name": "<CREDENTIAL_NAME>"
	}
}

Add AD Computer

To add a new computer to the Active Directory of the client's network.

Request data  

{
      "task_name": "ad_task",	
      "task_details": {
		"ad_host": "<HOST_NAME>",
		"ad_dn": "<DN OF THE AD MACHINE>",
		"activity_name": "create_object",
		"object_name": "<OBJECT_NAME>",
		"organization_unit": "<ORGANIZATION_UNIT_NAME>",
		"object_type": "computer",
		"properties": {
			"ObjectClass": "computer",
			"givenName": "<DISPLAY NAME OF THE OBJECT>"
		 }
	 },
	"credential": {
		"name": "<CREDENTIAL_NAME>"
	}
}

Add AD Group  

To add a new group to the Active Directory of the client's network.

Request data  

{
      "task_name": "ad_task",	
      "task_details": {
		"ad_host": "<HOST_NAME>",
		"ad_dn": "<DN OF THE AD MACHINE>",
		"activity_name": "create_object",
		"object_name": "<OBJECT_NAME>",
		"organization_unit": "<ORGANIZATION_UNIT_NAME>",
		"object_type": "group",
		"properties": {
			"ObjectClass": "group",
			"givenName": "<DISPLAY NAME OF THE GROUP>"
		 }
	 },
	"credential": {
		"name": "<CREDENTIAL_NAME>"
	}
}

Add User To Group

To add a user under a group in the Active Directory of the client's network.

Request data

{
	"task_name": "ad_task",	
	"task_details": {
		"ad_host": "<HOST_NAME>",
		"ad_dn": "<DN OF THE AD MACHINE>",
		"activity_name": "create_object",
		"object_name": "<OBJECT_NAME>",
		"organization_unit": "<ORGANIZATION_UNIT_NAME>",
		"object_type": "group",
		"properties": {
			"ObjectClass": "group",
			"givenName": "<DISPLAY NAME OF THE GROUP>"
		}
	},
	"credential": {
		"name": "<CREDENTIAL_NAME>"
	}
}
group_name - name of the group in AD. 

Disable AD User 

To disable an existing user in the Active Directory.

Request data  

{
	"task_name": "ad_task",      
	"task_details": {
		"ad_host": "<HOST_NAME>",
		"ad_dn": "<DN OF THE AD MACHINE>",
		"activity_name": "disable_user",
		"user_name": "<USER_NAME>"
	},
	"credential": {
		"name": "<CREDENTIAL_NAME>"
	}
}

Enable AD User  

To enable a disabled user in the Active Directory.

Request data  

{
	"task_name": "ad_task",	
	"task_details": {
		"ad_host": "<HOST_NAME>",
		"ad_dn": "<DN OF THE AD MACHINE>",
		"activity_name": "enable_user",
		"user_name": "<USER_NAME>"
	},
	"credential": {
		"name": "<CREDENTIAL_NAME>"
	}
}

Unlock AD User  

To unlock the user, who has been locked due to multiple incorrect password entries.

Request data  

{
      "task_name": "ad_task",	
      "task_details": {
		"ad_host": "<HOST_NAME>",
		"ad_dn": "<DN OF THE AD MACHINE>",
		"activity_name": "unlock_account",
		"user_name": "<USER_NAME>"
	},
	credential": {
		"name": "<CREDENTIAL_NAME>"
	}
}

Reset AD Password  

If the password has been forgotten or if there is a need to reset the password.
This task is exclusively performed using LDAPS (LDAP over SSL). Please refer here for instructions on enabling LDAP over SSL.

Request data  

{
      "task_name": "ad_task",	
      "task_details": {
		"ad_host": "<HOST_NAME>",
		"ad_dn": "<DN OF THE AD MACHINE>",
		"activity_name": "reset_password",
		"user_name": "<USER_NAME>",
		"password": "<PASSWORD>",
		"is_unlock_account": true,
		"is_user_reset_password_next_logon": true
	 },
	"credential": {
		"name": "<CREDENTIAL_NAME>"
	}
}
where,

is_unlock_account - If the user account is locked, whether to unlock it while resetting the password.

  • true - to unlock the account

  • false - to not unlock the account

is_user_reset_password_next_logon After resetting the password, whether to make it mandatory for the user to reset the password during his next login.

  • true - password has to be reset during the next logon

  • false - not necessary to reset the password again during the next logon



    • Related Articles

    • AD task

      The AD task is used to connect to the Active Directory of the company's network and perform AD operations securely there. The following AD States are available in AD Task: Add AD User Add AD Group Add User to Group Add AD Computer Enable AD User ...

    • Bridge agent settings

      Once the Bridge agent is set up, you can log in to the bridge agent to view and modify the allowed configuration as needed. To do this: In Qntrl, navigate to (settings) >> Advanced >> Bridge, then select your bridge. Hover your cursor over the bridge ...

    • Install Bridge

      Follow the below step-by-step procedures to configure and use Bridge in Qntrl. Step 1: Download the Bridge agent Only one Bridge agent can be installed per machine. To download a bridge agent in Qntrl: Navigate to (settings), under Advanced click ...

    • Credentials

      The Credential module provides a streamlined solution for storing and managing authentication credentials for databases, remote machines, and application servers. Organizations dealing with multiple databases or APIs often face repetitive credential ...

    • Zoho Directory in Qntrl

      What is Active Directory? Active Directory (AD) by Microsoft is a domain management system for centralized networks. Using AD, you can add users, define their privilege, store and manage information, and authorize and authenticate user accounts. What ...

    You are currently viewing the help articles of Qntrl 3.0. If you are still using our older version and require guidance with it, Click here.