Shine a light on shadow apps

ConductorOne Docs

🛠️ LDAP integration

ConductorOne provides identity governance and just-in-time provisioning for LDAP. Integrate your LDAP server with ConductorOne to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access.

Availability

🛠️ The LDAP integration requires use of ConductorOne’s LDAP connector, which was built using the open-source Baton SDK.

Capabilities

  • Sync user identities from LDAP to ConductorOne

  • Resources supported:

    • Roles (organizationalRole in LDAP)
    • Groups (groupOfUniqueNames in LDAP)

  • Provisioning supported:

    • Role assignment
    • Group membership

To use ConductorOne to provision LDAP roles and groups: Be sure to include the --provisioning flag on the install command, as shown in Step 1 below.

Integrate your LDAP instance

Once baton-ldap is installed and the integration is set up, Baton runs as a service in your environment. The service maintains contact with ConductorOne, syncs and uploads data at regular intervals, and passes that data to the ConductorOne UI, where you and your colleagues can use it to run access reviews and facilitate access requests for the application.

Step 1: Install baton-ldap

  1. Run the brew or source commands shown below to install baton-ldap, substituting in the required credentials (see the baton-ldap repo’s README for details).

    To use ConductorOne to provision LDAP roles and groups: Be sure to include the --provisioning flag on the install command, as shown below.

    If you are not using ConductorOne for LDAP provisioning, do not include this flag when you run the install command.

brew

brew install conductorone/baton/baton conductorone/baton/baton-ldap

BATON_PASSWORD=admin_pass BATON_BASE_DN=base_dn BATON_USER_DN=user_dn BATON_DOMAIN=ldap_url baton-ldap --provisioning
baton resources

source

go install github.com/conductorone/baton/cmd/baton@main
go install github.com/conductorone/baton-ldap/cmd/baton-ldap@main

BATON_PASSWORD=admin_pass BATON_BASE_DN=base_dn BATON_USER_DN=user_dn BATON_DOMAIN=ldap_url baton-ldap --provisioning
baton resources

Step 2: Set up the LDAP integration in ConductorOne

This task requires the Integration Administrator or Super Administrator role in ConductorOne.

  1. In ConductorOne, open Admin and click Integrations > Baton.

  2. Choose whether to add the LDAP connector to an existing application in ConductorOne (and select the app of your choice) or to create a new Baton application.

    Once configuration is complete, the new application’s name will automatically change from Baton to LDAP.

  3. Set the integration owner for this connector. You can manage the integration yourself, or choose someone else from the list of ConductorOne users. Setting multiple integration owners is allowed. You can change the integration owner later, if necessary.

  4. Click Create and add details.

    If you selected someone else as the integration owner, that person will be notified to take over this process from this point.

  5. Find the Settings area of the page and click Edit.

  6. Click Rotate to generate a new set of credentials. Carefully copy the Client ID and Secret. You’ll use them in Step 3.

Step 3: Add credentials to your LDAP connector

  1. On the server where your the LDAP is running, pass in the Client ID and Secret generated in Step 2 by running --client-id <CLIENT ID> --client-secret <SECRET>.

    Run baton-ldap --help to see the list of flags to be used when passing your credentials to the connector.

  2. The connector syncs current data, uploads it to ConductorOne, and prints a Task complete! message when finished.

  3. Check that the connector data uploaded correctly. In ConductorOne, open Apps and click Applications, then locate and click the name of the application you added the LDAP connector to. LDAP data should be found on the Groups, Roles, Resources, and Accounts tabs, as appropriate.