Skip to main content
McAfee MVISION Cloud

Configure a Domain Using a Directory Server

NOTE: This setup is applicable for the older Cloud Connector versions prior to 4.2. Newer versions of the Cloud Connector must have the AD integration performed from the MVISION Cloud Connector Console.

Before you map information from your Directory Server to your log data, you must allow the MVISION Cloud Connector to connect to your Directory Server. After configuring Custom Attributes, you can map User Attributes to Custom Attributes.

To configure a Domain using a Directory Server:

  1. Open a web browser and enter the IP Address you set during installation into the address bar.
  2. Sign in using an email address and password with Cloud Connector privileges.
  3. Go to Enterprise Integration > Active Directory Integration.
  4. Click Add a Domain.

Setup Custom Attributes_Add Domain.png

  1. For User Data Source, select Directory Server.

  1. To connect to your Directory Server, enter the following information:
    1. Name: The unique name for your integration. This is a user-defined name that will help you identify this integration and it must be unique.
    2. IP or Host: The IP Address or Host Name for your Directory Server.
    3. Port: The port where the active directory is listening.
    4. Username: The user name you would like Cloud Connector to use for authentication with your Directory Server.
    5. Password: The authentication password for your specified user name.
    6. Base DN: (Optional) A field that you can use to search your Directory Server for specific data.
    7. Filter: (Optional) A field used to limit search results. This is a predefined filter that will be applied to AD Data.
    8. Attributes: A field used to identify the attributes you would like to retrieve from the directory server. This is a predefined filter that will be applied to AD data. Review the default Attributes list to make sure all required Attributes are included. If an Attribute you need it missing, add it to the list. For more information, see LDAP Configuration
  2. Click Test LDAP Connection.
  3. Click Save.

IMPORTANT: The Save button will produce an error until at least one Shadow or Sanctioned setup is configured. Click x to dismiss it. 

LDAP Configuration

Cloud Connector 3.5 and later defaults to a list of commonly used attributes to prevent the issue from appearing as binary.

Do not configure the LDAP integration to query binary objects. Doing so may cause issues. Also, update the LDAP configuration so that it does not import other LDAP objects, such as computers and groups. This change will also decrease the leveldb store size, as MVISION Cloud only imports attributes that are needed, instead of all binary attributes. 

Configure the Attributes field as follows:

  • The Attributes field should contain only fields that are used, for example: dn,sAMAccountName,memberOf,name
  • Add an LDAP filter to query ony for objects that actually have the attribute set that is used, for example: (&(sAMAccountName=*)(memberOf=*)(name=*))

With these two settings, the LDAP connection is correctly configured and will not fail. 

The new activeDirectory.json file in the .config directory looks like the following example:

{
     "activeDirectorySetups": [{
               "name": "Domain",
               "activeDirectoryDataSource": {
                     "host": "cs.msds.kp.org",
                     "port": 389,
                     "userName": "SvcSkyhigh",
                     "password": "%C3%90%C2%BFy%C3%9A%C3%8CI%C2%9B%1E",
                     "activeDirectoryQuery": {
                          "base": "DC=cs,DC=msds,DC=kp,DC=org",
                          "filter": (&(sAMAccountName=*)(memberOf=*)(name=*)),
                          "attributes": dn,sAMAccountName,memberOf,name
                     },
                     "activeDirectorySslSettings": null
               },
               "csvDataSource": null,
               "shadowActiveDirectorySettings": {
                     "enableIpToUserMapping": false,
                     "customAttributes": {
                          "uniqueUserAdAttribute": "sAMAccountName",
                          "customAttributeMappings": [{
                                    "displayName": "Firewall Host Name",
                                    "customAttributeId": "custom3",
                                    "mappedTo": null
                               }, {
                                    "displayName": "Display Name",
                                    "customAttributeId": "custom4",
                                    "mappedTo": "name"
                               }, {
                                    "displayName": "Firewall Serial",
                                    "customAttributeId": "custom1",
                                    "mappedTo": null
                               }, {
                                    "displayName": "usageType", 
                                    "customAttributeId": "custom2",
                                    "mappedTo": null
                               }, {
                                    "displayName": "Member of",
                                    "customAttributeId": "custom5",
                                    "mappedTo": "memberOf" 
                               }
                          ]
                     }
               },
               "sanctionedActiveDirectorySettings": null
          }
     ]
}

Virtual Attributes 

The goal of Virtual Attributes is to provide additional formatted attributes that can be used in policies instead of using the AD attribute directly. Virtual Attributes are formatted to prevent the MVISION Cloud dashboard from presenting too many values.

The following Virtual Attributes are available.

distinguishedName Attribute

Based on the value of the distinguishedName attribute of a user account, MVISION Cloud creates additional virtual attributes to allow access to the organizational unit (OU), or other information about the location of the user object in the directory tree.

The following examples are based on the object's distinguishedName CN=User,CN=US,DC=shntest,DC=corp

Name Description Example
virtual_DN The distinguishedName of the current object in regular format. CN=User,CN=US,DC=shntest,DC=corp
virtual_dnHierarchy The distinguishedName of the parent object in regular format. CN=US,DC=shntest,DC=corp
virtual_dnHierarchy_ws The distinguishedName of the parent object with a comma replaced by a space. CN=US DC=shntest DC=corp
virtual_dnHierarchy_short The Common Name (cn) of the parent object. US

memberOf Attribute

If you add the Active Directory attribute memberOf, MVISION Cloud creates additional virtual attributes to reformat the values to be more readable, and to allow better filtering on user group memberships.

Name Description Example
memberOf The distinguishedName attribute of each user group, in regular format. CN=Group1,DC=shntest,DC=corp
CN=Group2,DC=shntest,DC=corp
virtual_memberOf_ws The distinguishedName attribute of each user group, with commas replaced by spaces. CN=Group1 DC=shntest DC=corp
CN=Group2 DC=shntest DC=corp
virtual_memberOf_short The list of Common Names (cn) of each user group. Group1
Group2

manager Attribute 

If you add the Active Directory attribute manager, MVISION Cloud creates additional virtual attributes to reformat the values to be more readable. 

Name Description Example
manager The distinguishedName of the value of the manager attribute. CN=Joe Bloggs,CN=EMEA,DC=shntest,DC=corp
virtual_manager_ws The distinguishedName of the value of the manager attribute, with commas replaced by spaces. CN=Joe Bloggs CN=EMEA DC=shntest DC=corp
virtual_manager_short The Common Names (cn) of the value of the manager attribute. Joe Bloggs

userAccountControl Attribute

If you add the Active Directory attribute userAccountControl, then LP will create two virtual attributes based on the flag and status of the user account, in addition to the userAccountControl attribute.

For details, see https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx.

Name Value Flag Description
virtual_UAC_AccountDisabled True / False ADS_UF_ACCOUNTDISABLE Set to True if the user account is disabled.
virtual_UAC_NormalAccount True / False ADS_UF_NORMAL_ACCOUNT Set to True if this is a default account type that represents a typical user.
  • Was this article helpful?