Skip to main content

Configuring LDAP Integration

LDAP is an open communication protocol in the application layer, which allows access and management of Directory service over IP networks.

A common use of LDAP is to create a uniform connection between several services (SSO).

For large enterprises, integrating Checkmarx One with a LDAP server will create a reflection of their users & groups tree inside Checkmarx One.

After a successful integration between the LDAP server in your organization, the following will happen:

  • All the selected users in the organization will be presents in the Users section - As they appear in the LDAP organization tree.

    For additional information, see Users.

  • All the selected groups in the organization will be presents in the Groups section - As they appear in the LDAP organization tree.

    For additional information, see Managing Groups.

After logging in for the first time to Checkmarx One the LDAP window will be empty.

2381479940.png

Adding a new LDAP Server

To add a new LDAP server, perform the following:

Click Add new LDAP server

Add LDAP provider configuration window will open.

2370374115.png

Configuring a new LDAP Server

Note

Mandatory fields are marked with red_asterix.png.

The LDAP configuration window includes the following sections:

Server Settings

Below are all the configuration options that exist in this section:

  • Enabled

  • Console Display Name

  • Priority - In case several LDAP servers are configured, it is possible to set the priority of the provider when doing a user lookup. Lowest first.

  • Vendor - LDAP vendor (provider)

    Values: Active directory, Red Hat Directory Server, Tivoli, Novell eDirectory, Other.

    Note

    All the other LDAP mandatory configuration fields (Username LDAP attribute, RDN LDAP attribute, UUID LDAP attribute, Users DN) will be set automatically according to the vendor selection.

    2370734662.png
  • Username LDAP attribute - Name of LDAP attribute.

  • RDN LDAP attribute - Name of the LDAP attribute which is used as RDN (top attribute) of typical user DN. Usually it is the same as the Username LDAP attribute.

  • UUID LDAP attribute - Name of the LDAP attribute, which is used as unique object identifier (UUID) for objects in LDAP.

    For example, for Active directory it should be 'objectGUID'.

  • Users DN - Full DN of the LDAP tree where the users are located. This DN is the parent of the LDAP users, and set which LDAP tree branch to take the users from.

    For example:

    2370734499.png
  • Enable StartTLS - Encrypts the connection to LDAP using STARTTLS, which will disable connection pooling.

  • User Object Filter - Additional LDAP Filter for filtering searched users. Leave this empty if you don't need additional filter. In case a filter is configured, make sure that it starts with a ' sign and ends with a ' sign.

  • Search Scope - There are 2 options for this field: One level or Subtree.

    One level: The search applies only for users in the DNs specified by User DNs.

    Subtree: The search applies to the entire subtree.

    For more details, see LDAP Documentation.

    2381381792.png

Connection

Note

In this section all the fields are mandatory

This section is for configuring the connection details with the LDAP server.

The section includes the following fields:

  • Connection URL - Connection URL to the LDAP server.

    It is possible to test the connection before finalizing the configuration by pressing the Test connection option.

    After that, a test connection with the LDAP server will be performed and a notification will be presented with the connection status.

    For example:

    2381709763.png
  • User name - DN of the LDAP admin which will be used by Checkmarx One (Keycloak) to access the LDAP server.

  • Password - Password of the LDAP admin. This field can obtain its value from vault (use ${vault.ID}) format. For additional information regarding vault, see Vault Format.

    It is possible testing the password authentication before finalizing the configuration, by pressing the Test authentication option.

    2394194002.png

Kerberos Integration

Note

Mandatory fields are marked with red_asterix.png.

This section is for configuring the connection details for a Kerberos server.

The section includes the following fields:

  • Allow Kerberos authentication

  • Kerberos Realm - Name of Kerberos security policy domain server.

  • Server Principal - Full name of the server principal for HTTP service, including server and domain name.

  • KeyTab - The location of Kerberos KeyTab file containing the credentials of server principal.

  • Debug - Enable/disable debug logging to standard output.

  • Use Kerberos For Password Authentication - Use Kerberos login module to authenticate username/password against Kerberos server. This is instead of authenticating against LDAP server with Directory Service API.

    2494726752.png

Synchronization

In this section the synchronization with the LDAP server is configured.

The section includes the following fields:

  • Periodic Full Sync

  • Full Sync Period - This field’s value is calculated in seconds. The default is 604800 seconds (7 days).

  • Periodic Changed Users Sync

  • Changed Users Sync Period - This field’s value is calculated in seconds. The default is 86400 seconds (24 hours).

    2381480424.png

Saving the LDAP Configuration

After all the above details are successfully configured, press

The following will happen:

  1. A connection status notification will be presented.

    For example:

    2370374633.png
  2. Additional options will be added to the configuration screen (At the screen’s bottom part):

    • Synchronize changed users

    • Synchronize all users

    • Remove imported

    2381611563.png

    The new LDAP server will be added to the LDAP window.

    2381382204.png

LDAP Attribute Mapping

The users attribute mapping is being performed by default by Checkmarx One.

To see all the users' LDAP attributes in Checkmarx One, perform the following:

  1. Click on the created group.

  2. The group configuration window will open.

  3. In the group configuration window, click Mappers tab.

    2386100241.png
  4. The below mappers are automatically configured in Checkmarx One

    2385969196.png
  5. To see a mapper attribute details, click on the attribute.

    2385641577.png

    For example: The first name mapper takes the first name value from the LDAP “cn.”

    2385510529.png

LDAP Groups Mapping

After a new Checkmarx One installation, the User Groups window will be empty (as mentioned in Managing Groups page).

2368406286.png

In order that Checkmarx One will present groups from your organization, there is a need to integrate all the groups from the LDAP server with Checkmarx One.

This integration is performed by:

  • Creating a new Groups mapper in Checkmarx One.

  • Connecting the new groups mapper to the LDAP server.

Notice

The following steps will demonstrate how to perform it.

Creating a new Groups Mapper in Checkmarx One

  1. Click on the created group.

    The group configuration window will open

  2. In the group configuration window, click Mappers tab.

    2386100241.png
  3. Click on

    2385903765.png

    Add user federation mapper configuration window will open.

  4. The Add user federation mapper configuration window includes the following fields:

    • Name - Mapper name

    • Mapper Type - group-ldap-mapper

    • LDAP Groups DN - LDAP DN where groups of this tree are saved in.

    • Group Name LDAP Attribute - Name of LDAP attribute, which is used in group objects for name and RDN.

    • Group Object Classes - Class (or classes) of the group object. It's divided by comma if more classes are needed.

    • Preserve Group Inheritance - Flag whether group inheritance from LDAP should be propagated.

      Important

      If false, then all the LDAP groups will be mapped as flat top-level groups.

      Otherwise, group inheritance is preserved, but the group sync might fail if LDAP structure contains recursions or multiple parent groups per child groups.

    • Membership LDAP Attribute - Name of LDAP attribute on group, which is used for membership mappings.

    • Membership Attribute Type - DN means that LDAP group has its members declared in form of their full DN

      Values: DN, UID

    • Membership User LDAP Attribute - Used just if the Membership Attribute Type is UID. It is the LDAP attribute name for the user, which is used for membership mappings.

    • LDAP Filter - LDAP Filter adds additional custom filter to the entire query to retrieve LDAP groups. Leave this empty if no additional filtering is needed and you want to retrieve all the groups from the LDAP server. Otherwise make sure that filter starts with ' sign and ends with ' sign.

      For example: ‘<LDAP Filter>’

    • Mode

      Values:

      LDAP_ONLY: All users group mappings are retrieved from the LDAP server and saved into LDAP.

      READ_ONLY: Read-only LDAP mode where group mappings are retrieved from both the LDAP server and DB and merged. New group joins are not saved to the LDAP server, but to the DB.

      IMPORT: Read-only LDAP mode where group mappings are retrieved from the LDAP server just at the time when a user is imported from the LDAP server, and then they are saved to the local DB.

    • User Groups Retrieve Strategy - Specifies how to retrieve user groups.

      Values:

      LOAD_GROUPS_BY_MEMBER_ATTRIBUTE: User roles will be retrieved by sending LDAP query to retrieve all groups where 'member' is the user.

      GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE: User groups will be retrieved from 'memberOf' attribute of the user, or from the other attribute specified by 'Member-Of LDAP Attribute'.

    • Member-Of LDAP Attribute - Used just when 'User Roles Retrieve Strategy' is GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE. It specifies the name of the LDAP attribute for the LDAP user, that contains the groups which the user is a member of.

    • Groups Path - The group path that the LDAP groups are added to.

      For example, if the value '/Applications/App1' is used, the LDAP groups will be available under group 'App1', which is a child of top-level group 'Applications'.

      2389967133.png
  5. Click

  6. A notification will appear at the top of the screen.

    2390032654.png

Syncing LDAP Groups & Users to Checkmarx One

Click Sync LDAP Groups To Keycloak

2387575200.png

All the LDAP groups including their users will be synced to Checkmarx One.

  • Example of LDAP groups added to Checkmarx One

    2393309333.png
  • Examples of LDAP users inside each group

    2393931878.png
    2393997481.png
  • Example of a the QA group user’s view

    2394259506.png