- About Cloud Images
- Digital Ocean
- Microsoft Azure
- Google Cloud
- Amazon AWS
- Admin Dashboard
- Managing Users
- Managing Devices
- Usage Statistics
- Adding a License
- General Settings
- Server Settings
- Security Settings
- Network Settings
- Directory Settings
- Email Settings
User Directory Settings
You can integrate your Konnect™ access server with an external user directory to automatically synchronise user accounts and to allow users to login to the Konnect™ user and admin portals with their directory credentials without replicating these credentials to the cloud.
Konnect™ supports any LDAP protocol compatible external user directory, for example: Active Directory, OpenLDAP, ApacheDS, ForgeRock OpenDJ, RedHat 389 Server, or JumpCloud.
Prerequisites
Note: Integration of Konnect™ with an external user directory requires an active Enterprise or Pro license for your Konnect™ server.
Before you integrate Konnect™ access server and your LDAP-compatible user directory, please make sure that:
you have network connectivity between your Konnect™ server and your directory server. In particular, on-premise hosted directory servers may require an additional proxy service to allow a cloud-deployed Konnect™ access server to connect.
you have provisioned a dedicated
BINDuser for Konnect™ with a minimal set of access rights for your directory and the directory tree that you will use to keep VPN user accounts in.you know your
BINDuser's fullDNpath, as well as thebase DNpath of your directory.each user that you wish to synchronize to Konnect™ VPN Access Server has a valid
email address, and anameattribute set in their directory account.
Configuring your User Directory
To configure your LDAP-compatible user directory, please provide the following information:
Host or IP Address of your directory server. If you provided a hostname, it must be resolvable from your Konnect™ instance. In either case you need to make sure that you have network connectivity between your Konnect™ server and the directory server, and open any firewall ports / proxy ports as required.
Port at which your LDAP server listens for requests. This is often
389forLDAPand636forLDAPS(LDAPoverSSL/TLS).Connection Security used to protect communication with your directory server. Possible options are
None(no connection security),StartTLS(initiate a TLS-secured connection over an otherwise clear-text channel), andTLS(negotiate a connection viaSSL/TLSbefore exchanging any data).Authentication Type for your bind user. Can be
Anonymous(no authentication required to query the directory tree or sub-tree),Username / Password(use bind user DN and password to authenticate before performing search queries), orSASLto use the Simple Authentication and Security Layer, as defined in RFC 4422.LDAP Bind User, which is the distinguished name (
DN) of a directory user account that has permission to authenticate to the directory and search the directory tree or sub-tree that you want to query for VPN user accounts.LDAP Bind Password, the bind user will use to authenticate to the directory server before performing search queries.
the Search Base, which is the starting point for user authentication within your directory.
an RFC-2254 compliant Search Query for your directory that returns the directory objects describing the users that should be synced with your Konnect™ server.
the Name Attribute of the directory objects found by above search that should be used to capture the display name for synced users
the Email Attribute of the directory objects found by above search that should be used to capture the email address for synced users
Testing your Settings
When you are satisfied with your settings, click on Save & Test settings to save the configuration values and perform a test of your settings.
The settings test page will show you success or fail status for each test, together with any error messages that can help you diagnose issues. If Konnect™ server can successfully communicate with your directory server, the test settings page will show a preview of the first 10 results of users that would be synced from your directory. When you are satisfied, click Done, otherwise click on Edit Settings to go back to edit your directory settings.
Activating LDAP Sync
Konnect™ can synchronize users with your directory server periodically (the default is every 300 seconds). To enable periodic sync, switch Activate LDAP Integration to ON in your directory settings page and save.
Triggering a Manual Sync
If you wish to synchronize the Konnect™ server user database with your user directory immediately, outside of a scheduled periodic sync, click on Synchronize Now to start a background sync job.