Syncing Users with LDAP

In this article we will explain and demonstrate how to configure your Cato account to work with Active Directory (LDAP integration). The feature will allow you to fetch the users and add them automatically to the Cato Management Application. It will NOT authenticate to the AD server.

The sAMAaccountName attribute is used for the name of the User Group in the Cato Management Application.

The sync has two main options:

1. Syncing with a local AD server

2. Syncing with an external AD server

Syncing a Local AD Server

If the LDAP sync isn't working correctly, see Resolving Issues with LDAP Sync (you must be logged in to your Cato Knowledge Base account to view this article).

How to sync a local AD server (server behind a Cato site):

  1. Add the AD server to the Hosts screen for the site.

    1. From the navigation menu, select Network > Sites, and select the site.

    2. From the navigation menu, select Site Configuration > Hosts.

    3. Click New and enter the settings for the AD server.

    4. Click Apply and then click Save.

  2. Add a new domain to the LDAP services for the account.

    1. From the navigation menu, click Access > Directory Services, and select the LDAP tab or section.

    2. Click New, and configure the settings for the AD domain.

      • Login DN and Base DN - The unique string for the AD (authenticating for fetched users)

      • Password - The password to access the Active Directory DN

      • Encryption - Select Use SSL to secure the connection, not supported by all servers

    3. Click Save.

  3. Add the AD server (from step 1) as a domain controller (DC) to the domain.

    1. In the panel navigation section, click Domain Controllers.

    2. In the top drop-down menu, select Host, and in the next drop-down menu, select the host from step 1.

    3. Click Save.

  4. Select the AD groups you are syncing to your Cato account.



    • If no groups are selected, then all the AD groups are imported for User Awareness based on the Bind DN location. For example, if the Bind DN search is started from cn=users,dc=cato,dc=local, then all the users and groups synced will be from the start of the Bind DN.

    • Nested groups are synced if you select the parent group

    • The User Principal Name (UPN) AD parameter must be configured for a user to be identified by User Awareness

    1. In the panel navigation section, click User Groups.

    2. Select the AD groups that your are syncing.



      Note: Capitalization matters when importing organizational units from Active Directory. ExampleGroup will be treated differently from EXAMPLEGROUP.

      If you change the name of the OUs within Active Directory, please ensure that you also change the selected OUs within the Cato Management Application.

    3. Select Daily Sync User Groups to enable automatically syncing the groups and users each day.

    4. Click Save and Close.

  5. In the Directory Services screen, click Sync Now.

After users are synced, they can be assigned an SDP license.

For User Awareness, users can be identified by AD query or the identity agent.

Syncing an External AD Server

If you need to sync an external AD server, then you can perform the same procedure as above.

  • If your Domain Controller is behind an IPsec connection or if you are routing only some subnets to the Socket, be sure to include the IP address of the Cato Management Application in your VPN tunnel routing configuration. Traffic from and to this IP should be routed via the Cato tunnel.

  • When the UPN and/or email address of an LDAP user has been changed in the AD, the status of the affected LDAP user remains unchanged in the Cato Management Application.

  • When syncing the Azure AD, both the Member and Guest user types are synchronized.

  • Make sure that the first and last names are configured for AD users. Otherwise, users missing a first or last name are NOT synced to your Cato account.

Was this article helpful?

0 out of 0 found this helpful


Add your comment