You can integrate your Konnect™ access server with an external user directory to automatically synchronise user accounts and to allow users to login to the Konnect™ user and admin portals with their directory credentials without replicating these credentials to the cloud.
Note: Integration of Konnect™ with an external user directory requires an active Enterprise or Pro license for your Konnect™ server.
Before you integrate Konnect™ access server and your LDAP-compatible user directory, please make sure that:
you have network connectivity between your Konnect™ server and your directory server. In particular, on-premise hosted directory servers may require an additional proxy service to allow a cloud-deployed Konnect™ access server to connect.
you have provisioned a dedicated
BIND user for Konnect™ with a minimal set of access rights for your directory and the directory tree that you will use to keep VPN user accounts in.
you know your
BIND user's full
DN path, as well as the
base DN path of your directory.
each user that you wish to synchronize to Konnect™ VPN Access Server has a valid
email address, and a
name attribute set in their directory account.
To configure your LDAP-compatible user directory, please provide the following information:
Host or IP Address of your directory server. If you provided a hostname, it must be resolvable from your Konnect™ instance. In either case you need to make sure that you have network connectivity between your Konnect™ server and the directory server, and open any firewall ports / proxy ports as required.
Port at which your LDAP server listens for requests. This is often
Connection Security used to protect communication with your directory server. Possible options are
None (no connection security),
StartTLS (initiate a TLS-secured connection over an otherwise clear-text channel), and
TLS (negotiate a connection via
SSL/TLS before exchanging any data).
Authentication Type for your bind user. Can be
Anonymous (no authentication required to query the directory tree or sub-tree),
Username / Password (use bind user DN and password to authenticate before performing search queries), or
SASL to use the Simple Authentication and Security Layer, as defined in RFC 4422.
LDAP Bind User, which is the distinguished name (
DN) of a directory user account that has permission to authenticate to the directory and search the directory tree or sub-tree that you want to query for VPN user accounts.
LDAP Bind Password, the bind user will use to authenticate to the directory server before performing search queries.
the Search Base, which is the starting point for user authentication within your directory.
an RFC-2254 compliant Search Query for your directory that returns the directory objects describing the users that should be synced with your Konnect™ server.
the Name Attribute of the directory objects found by above search that should be used to capture the display name for synced users
the Email Attribute of the directory objects found by above search that should be used to capture the email address for synced users
When you are satisfied with your settings, click on
Save & Test settings to save the configuration values and perform a test of your settings.
The settings test page will show you success or fail status for each test, together with any error messages that can help you diagnose issues. If Konnect™ server can successfully communicate with your directory server, the test settings page will show a preview of the first 10 results of users that would be synced from your directory. When you are satisfied, click
Done, otherwise click on
Edit Settings to go back to edit your directory settings.
Konnect™ can synchronize users with your directory server periodically (the default is every 300 seconds). To enable periodic sync, switch
Activate LDAP Integration to
ON in your directory settings page and save.
If you wish to synchronize the Konnect™ server user database with your user directory immediately, outside of a scheduled periodic sync, click on
Synchronize Now to start a background sync job.