LDAP Synchronization

On-Premises Only
This feature is only available in our On-Premises solution. For security reasons it is disabled by default and can be enabled via the installer (rips3.py rips:config --ldap=1 --restart).

The On-Premises version of RIPS allows you to connect to a user directory through LDAP. If enabled users are inserted from the user directory and authenticated against it instead of the database.

General Settings

In the general settings you have to specify your LDAP version, the address and port of your LDAP server, the encryption mode of the LDAP connection, and what happens to expired accounts. User accounts that were created from the user directory but do not exist anymore are either disabled or deleted automatically. In case that you are using encryption with a custom certificate authority you have to define your certificate in PEM format in the "CA Certificate" input field.

You are not able to enable LDAP unless the general settings and the query settings are valid.

Query Settings

The query settings define where to find the user information in the user directory and how to verify the password of a user.

  1. First you have to specify the "Base DN" of your user directory, for example dc=example,dc=com.
  2. The "User DN" is used to verify the password of a user. It has to contain the placeholder "{email}" that is automatically replaced by the e-mail address of the user trying to log-in.
  3. The "Identifier Key" is optional and can be used to authenticate against a different attribute than the e-mail address (see example "Identification by Other").
  4. The "Search Query" is used to verify if users exist and to read out all available users. The search query has to contain the placeholder "{email}" and it can contain the placeholder "{emailKey}" that is automatically replaced by "Email key". The email key is also used to specify which attribute should be read out from the user directory. Warning, this value is case sensitive!
  5. Specify a DN with read access to the user directory as "Search DN" and the according password as "Search Password". This credentials are used to synchronize the LDAP user directory with the RIPS database.


A new LDAP user is created automatically in RIPS, but you can filter by keys (e.g. "rips") to make sure that only specific users are added to RIPS. Also, new user accounts don't have read privileges to any scan results by default. The LDAP settings can only be changed by "chief" users.

Examples

Identification by Mail

By default RIPS will try to use the e-mail address to identify users in the user directory. This only works if the e-mail address is part of the DN. If another attribute is used as part of the DN please see "Identification by Other".

NameExample Value
Base DNou=RIPS,dc=example,dc=ripstech,dc=com
User DNmail={email},ou=RIPS,dc=example,dc=ripstech,dc=com
Search Query({emailKey}={email})
Email Keymail
Identifier Key
Search DNcn=admin,dc=example,dc=ripstech,dc=com
Search Password*********

Identification by Other

If your user directory does not use the e-mail address as part of the DN you have to specify an identifier key. When users try to log-in the value of this attribute is inserted into the "User DN" instead of the e-mail address.

NameExample Value
Base DNou=RIPS,dc=example,dc=ripstech,dc=com
User DNcn={id},ou=RIPS,dc=example,dc=ripstech,dc=com
Search Query({emailKey}={email})
Email Keymail
Identifier Keycn
Search DNcn=admin,dc=example,dc=ripstech,dc=com
Search Password*********