Provisioning Users with LDAP

The Directory Service Settings section lets you configure the settings to sync users between your account and an LDAP domains, such as Active Directory (AD).

High Level Workflow of Configuring a Domain

This is the workflow to use Directory Services to integrate an LDAP domain with your Cato account:

Adding a Domain to the Cato Management Application

When you add an LDAP domain to your account, you need to add a Directory Service connection to the Cato Management Application. Each domain and child domain in your organization needs a separate connection in the Directory Service Settings window. For example, if your account has the domains sample.com, alpha.sample.com, and example.com, then you need to create three connections in Directory Service Settings.

For the domain Password, the maximum length of a password is 48 characters.

When you enter the distinguished names (DNs) for the domain:

  • Login DN refers to the object in the LDAP directory hierarchy for the admin

  • Base DN refers to the object in the LDAP directory hierarchy for the users and groups that the admin is syncing with Cato

Understanding User Sync Settings

Changes to LDAP users on the Domain Controller can trigger a high number of user modifications in the Cato Management Application. To reduce the risk of errors, you can choose to limit the number of changes made in each sync in these ways:

  • Prevent removing or disabling users: You can limit the number of users that are removed or disabled.

  • Prevent updating group membership: If an LDAP sync changes user group membership of 1500 or more users, Microsoft on-premise Active Directory may remove the users from the group. To prevent this, you can customize the maximum number of users that can change user group membership in a single sync. For more information, see Directory Services and User Awareness Errors Troubleshooting

  • Update user emails: You can limit the number of user email addresses that are updated.

If the limit is exceeded, the next LDAP sync will fail and an event with the Directory Services Sub-Type is created.

Note

Note: If a user is disabled and then re-enabled on your AD, they may need to uninstall and reinstall the Cato Client to connect to the network. 

Changing the Path to a Group in your Domain Controller

If you change the path to a Group in your Domain Controller, you must also update the Base DN in the Cato Management Application (CMA).

If you do not update the CMA to the new path, User groups that have been moved are no longer included in syncs and are deleted. These User groups are no longer visible on the ​​User Groups​​ page. Deleted User groups are still visible in policies and marked as deleted and the policy is not applied to the User group. SDP licenses are removed from users within the deleted LDAP provisioned User group and can no longer connect to the network. If the users need to connect to the network, then it's necessary to re-assign SDP licenses to them.

Adding a Domain to the Cato Management Application

New_DirectorySevice.png

To add a domain to the Cato Management Application:

  1. From the navigation menu, click Access > Directory Services.

  2. From the LDAP section or tab, and click New.

    The New Directory Service panel opens.

  3. Select the LDAP Provider.

    Only one LDAP provider can be selected.

  4. In the LDAP Authentication Description section, configure the Login DN:

    • For on-premise AD, use the AD account Distinguished Name (DN)

    • For an Azure AD, use the AD account User Principal Name (UPN)

  5. Enter the Login DNand Base DN.

  6. Enter the Password for the CN user that you created for the Directory Services connection.

  7. For LDAP domains that use an SSL connection, select Encryption.

    The domain is added to the Cato Management Application. Configure the Domain Controllers for the domain.

  8. Select your SDP User Sync Settings.

Adding a Domain Controller

Add the Domain Controller (DC) that is associated with the LDAP server to the Directory Services domain.

For LDAP servers that are behind a site, you can add the DC using the IP address or as a host that is defined for a site (Network > Sites > {site name} > Site Configuration > Hosts).

For servers that are external and use a public IP address, you can define the DC using an IP address or the domain.

Note

Note: Make sure that firewalls or routing devices are configured correctly for the following deployments:

  • The DC resides behind an IPsec site (instead of a Socket)

  • All of the traffic isn't routed to the Socket

You need to contact Support to obtain the source IP address of the LDAP sync. Make sure that traffic to and from this IP address is routed inside the Cato tunnel.

Edit_DC.png

To add a domain controller:

  1. In the navigation menu of the New Directory Service panel, click Domain Controllers.

  2. Define the connection settings to the DC depending on its location:

    • For DCs on a host defined behind a site, select Internal Host, and then select the static host for the LDAP server

    • For DCs that use an internal IP address, select Internal IP and enter the IP address for the DC

    • For DCs that aren't behind a site, select External IP or Domain, and enter the IP address or domain for the DC

  3. Click Add.

  4. For deployments with multiple DCs, repeat the previous steps to add each DC.

  5. Click Save and Close.

Testing Connectivity to a Domain

After you define the domain and add the DC, we recommend that you test the connectivity between the domain and the Cato Management Application.

The Cato Management Application automatically tests connectivity to all the DCs for the domain, and shows the results for each DC.

If the connectivity test is unsuccessful, see Troubleshooting Directory Services and User Awareness Errors and Issues for troubleshooting recommendations.

To test the connectivity to the domain:

  • From the Connection column for the domain, click Test connection. The Cato Management Application shows the results of the connectivity test.

Synchronizing the Domain with Your Cato Account

After you add the DCs, configure the settings that define how to synchronize the users in the LDAP groups.

  • If you are using Directory Services and you need to modify a user's mobile phone number for MFA, only modify the phone number in the LDAP directory

High Level Overview of Configuring the Directory Service Settings for a Domain

  1. Select the LDAP groups that are synchronized your account.

  2. Enable or disable automatically synchronizing the users each day.

  3. Define the behavior for users that are removed from the LDAP group - to disable or to remove them from the Cato Management Application.

Importing Active Directory Groups

Select the LDAP groups to be synced into your account.

To select the AD groups that are imported to your account:

  1. In the New Directory Service panel, click User Groups.

  2. From the Select User Groups dropdown, select the groups that you are syncing with your account.

    Note: If no groups are selected, the entire Active Directory is imported.

    Configure the Synchronization settings for this domain (see below).

Assigning Licenses and Applying Policies

Once users are synced into your account, you can assign them SDP licenses and apply polices that are enforced wherever the user connects. For more information on assigning SDP licenses, see Assigning SDP Licenses to Users.

Overview of Synchronization Settings

You can enable your account to automatically synchronize each day with the LDAP directory, and update the groups and users in the Cato Management Application to match those in the domain. You can also choose to add a prefix to the imported LDAP groups and users in the Cato Management Application. This prefix lets you easily distinguish between imported users and users that you manually create.

Cato starts the daily automatic LDAP sync for all accounts at 12:00 am UTC. Cato performs the sync one account at a time, and it can take several hours to complete the daily sync of all accounts. If the Daily Sync User Groups option is disabled after 12:00 am, but before Cato starts the LDAP sync, then the automatic sync is skipped until the next time window when the option is enabled.

Note

Note: For accounts with multiple domains, the synchronization settings must be the same for all the domains in your account. Otherwise, there can be issues related to possible trust dependencies between the different domains.

Users that No Longer Exist in Directory Service Groups

The If user no longer exists in imported Directory Service groups setting lets you define the synchronization behavior when users or groups are deleted from the LDAP server or have expired or been disabled. You can choose from the following options:

  • Disable - the users are disabled and can't connect to the Cato Cloud. The user remains in User Groups they were members of

  • Remove - the users accounts are removed from the Cato Management Application, including from User Groups they were members of

    When groups or users are removed from the LDAP server, but they are used by an object or rule in the Cato Management Application, this is the sync behavior:

    • Users are disabled instead of deleted

    • Groups are marked as no longer synced

    • The groups or users are labeled as Manual instead of LDAP

By default, the Cato Management Application prevents accounts from deleting or disabling more than 100 users as part of the LDAP sync. At the start of the LDAP sync, if the sync will delete or disable more than 100 users (for the default setting), then the sync is canceled and an email notification is sent. You can disable preventing deleting or disabling users, or change the maximum number of deleted users per LDAP sync.

Configuring the Directory Service Synchronization Settings

Configure the settings for the sync between the domain and your Cato account. You choose to enable a daily automatic sync, and the behavior when a user is removed from a Directory Service group.

To configure the synchronization settings for a domain:

  1. Manage the automatic sync settings:

    1. In the New Directory Service panel, select User Groups.

    2. In the User Groups section, select to enable or disable Daily Sync User Groups.

      The toggle is green when enabled.

  2. Define the behavior If user no longer exists in imported Directory Service groups in the AD domain:

    • Disable the user in the Cato Management Application

    • Remove the user from the Cato Management Application

  3. (Optional) Customize the setting for Prevent deleting more than a number of users during LDAP sync:

    • To change the how many users that can be deleted during LDAP sync, in users, enter the maximum number of deleted users.

    • To remove the limit of how many users that can be deleted during LDAP sync, disable slider_disable.png this setting.

  4. (Optional) In Add prefix to imported groups, enter the prefix that is automatically added to the names for Groups and users in the Cato Management Application.

  5. Click Apply and then click Save.

    The domain is configured to sync users and groups with your account.

Manually Synchronizing the Directory Services

Use the Sync Now feature to manually synchronize groups and users between the AD server and the Cato Management Application. For accounts with multiple domains, The Cato Management Application synchronizes all domains simultaneously (because there can be trust dependencies between domains).

To manually sync the Directory Services for all domains:

  1. From the navigation menu, click Access > Directory Services.

  2. In the LDAP section or tab, click Sync Now.

  3. After a short time, a window opens and summarizes the sync. If changes were detected, click either:

    • Review Changes - to review the changes before performing the updates.

    • Perform Updates - to perform the sync and update the Cato Management Application and the domain servers.

Deleting Domains and Domain Controllers

You can delete domains and DCs when they are no longer needed.

Note

Note: Deleting domains and DCs is permanent and you can't undo the delete.

To delete a domain:

  1. From the navigation menu, click Access > Directory Services.

  2. In the LDAP section or tab, in the row of the domain click Delete.png.

  3. Click Save. The domain is deleted from your account.

To delete a domain controller:

  1. From the navigation menu, click Access > Directory Services.

  2. In LDAP section or tab, edit the domain.

    The Edit Directory Services panel opens.

  3. In the navigation menu of the New Directory Service panel, click Domain Controllers.

  4. In the row with the DC, click Delete.png.

  5. Click Apply and then click Save. The DC is deleted from the domain.

Managing Multiple Domains

If your organization has more than one domain, you can define Directory Service connections for each domain. Add and configure the new domains to the account.

You must enter the password for each new domain that you add to the account.

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment