Microsoft Active Directory

Professional Enterprise

runZero integrates with Microsoft Active Directory (AD) via LDAP to allow you to sync and enrich your asset inventory, as well as gain visibility into domain users and groups. Adding your AD data to runZero makes it easier to find assets that are not part of your domain.

How runZero maps domain hosts to assets:

  • For domain hosts that can be matched to an existing runZero asset, asset-level attributes will be updated, and LDAP-specific attributes will be added.
  • For hosts that cannot be matched with an existing runZero asset, a new asset will be created in the site specified when the integration task is set up.

runZero is able to merge existing assets with LDAP data when the hostname overlaps. AD devices can also be manually merged into runZero assets using the Merge button on the Asset Inventory page.

Getting started

To set up the Active Directory integration, you’ll need to:

  1. Add the AD credential in runZero.
  2. Activate the AD connection to sync your data with runZero.

Requirements

Before you can set up the LDAP integration:

  • Verify that you have runZero Professional or Enterprise.
    • runZero Professional and Enterprise users will be able to view and query LDAP assets.
    • runZero Enterprise users will also be able to view and query LDAP users and groups.
  • Make sure you have credentials for an LDAP account.

Step 1: Add the LDAP credential to runZero

  1. Go to the Add credential page in runZero. Provide a name for the credentials, like LDAP.
  2. Choose LDAP Username & Password from the list of credential types.
  3. Provide the following information:
    • LDAP username - The username you want to use with the LDAP integration. The account used for this integration does not require any special permissions. The following username formats are accepted:
      • Distinguished Name (DN): CN=[username],CN=Users,DC=[domain],DC=[tld]
      • User Principle Name (UPN): [username]@[domain].[tld]
      • Domain\Username: [domain]\[username]
    • LDAP password - The password for the username to be used with the LDAP integration.
    • LDAP base DN - The base distinguished name for LDAP searches. This field requires distinguished name format: DC=[domain],DC=[tld]
    • LDAP URL - The URL for your LDAP server. This field supports IP[:port] notation as well as hostname.domain.tld[:port]. This field requires that the URL entered begins with ldap:// (for insecure LDAP connections) or ldaps:// (for secure LDAP connections).
    • LDAP insecure - Set this to Yes if you want to attempt authentication without a verified thumbprint. By default, runZero will attempt to connect with LDAPS but will fall back to LDAP+StartTLS then LDAP. LDAP without StartTLS will only work if this toggle is set to Yes.
    • LDAP thumbprints (optional) - A set of IP=SHA256:B64HASH pairs to trust for authentication. You will need to scan your LDAP server with runZero in order to obtain the TLS thumbprint. The TLS fingerprints service attribute report lists all previously seen fingerprints. The TLS thumbprints used for self-signed certificates will only work with LDAPS. If you want to use LDAP+StartTLS with a self-signed certificate, you will need to set the Insecure option to Yes.
  4. If you want other organizations to be able to use this credential, select the Make this a global credential option. Otherwise, you can configure access on a per-organization basis.
  5. Save the credential. You’re now ready to set up and activate the connection to bring in data from LDAP.

Step 3: Set up and activate the LDAP connection to sync data

After you add your LDAP credential, you’ll need to set up a connection to sync your data from LDAP. A connection requires you to set a schedule and choose a site. The schedule determines when the sync occurs, and the site determines where any new LDAP-only assets are created.

  1. Activate a connection to Active Directory. You can access all available third-party connections from your inventory or tasks page.
  2. Choose the credentials you added earlier. If you don’t see the credentials listed, make sure the credentials have access to the organization you are currently in.
  3. Enter a name for the task, like LDAP sync.
  4. Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start on the date and time you have set.
  5. Under Task configuration, choose the site you want to add your assets to.
  6. Activate the connection when you are done. The sync will run on the defined schedule. You can always check the Scheduled tasks to see when the next sync will occur.

Step 4: View LDAP assets

After a successful sync, you can go to your inventory to view your LDAP assets. These assets will have an Active Directory icon listed in the Source column.

To filter by LDAP assets, consider running the following queries:

Click into each asset to see its individual attributes. runZero will show you the attributes returned by LDAP.

Enterprise

For Enterprise users, the LDAP integration provides details about users and groups in addition to enriching asset inventory data. Go to Inventory > Users or Inventory > Groups to view the data provided by LDAP.