The lightweight directory access protocol (LDAP) has been around since the 90’s, and was once the gold standard for how applications and system software accessed user and group directories.

The most widely adopted LDAP implementation is Microsoft’s Active Directory. It was first released as part of Windows 2000 Server edition, and is still supported in Windows Server 2022. Many enterprises continue to use Active Directory as the core directory service that powers their workforce.

We’re excited to announce that as of January 2024, Aserto and Topaz now fully support LDAP as a source of users and groups! We’ve tested our LDAP integration with the two most popular implementations - Active Directory and OpenLDAP.

Importing LDAP data via the Aserto Console

To import users and groups from an LDAP source, refer to the console documentation. You’ll need to provide a few parameters:

• LDAP host address and port - this must be externally reachable. If your LDAP server isn’t internet-accessible, you can use the ds-load plug-in instead.
• LDAP user and password - this account should have enough privileges to be able to access the directory data. The LDAP user should follow a format such as CN=admin,CN=Users,DC=example,DC=com
• LDAP base distinguished name (DN) - e.g. DC=example,DC=com
• The filter expressions for Users and Groups, respectively. For example, for Active Directory, the User filter is
(&(objectClass=organizationalPerson)) and the Group filter is (&(objectClass=group)).
• The LDAP field is used as the identity of the objects to import for example, objectGUID.

Navigate to Connections and click “Add a connection”. Choose “Identity Providers” from the Type filter, and select the “Lightweight Directory Access Protocol (LDAP)” provider. Enter a name (e.g. “ldap”), and the rest of the configuration information you gathered above:

When you click “Add connection”, Aserto will automatically sync users and groups from LDAP into the Aserto Directory. Click the Directory tab to see them!

Importing data using ds-load

You can use the ds-load ETL pipeline in the following scenarios:

• you want more control over how LDAP data is transformed into Aserto users and groups
• you want to run your own pipeline inside your environment
• your LDAP server isn’t directly accessible from the outside world

To install the ds-load CLI, refer to the ds-load documentation. The CLI is available for Linux, Windows, and macOS X.

To import users and groups from LDAP, create a configuration file which has the following values:

ldap:
 base-dn: "dc=aserto,dc=com"
 user: "CN=aserto,CN=Users,DC=aserto,DC=com"
 password: "<ldap-user-password>"
 host: "ldap://localhost:1389"
 user-filter: "(&(objectClass=organizationalPerson))"
 group-filter: "(&(objectClass=group))"
 id-field: "objectGUID"

You can use ds-load ldap to load data from your LDAP server into Topaz, or if you want to point ds-load to your hosted Aserto Directory, add the following configuration elements to your config file:

host: "directory.prod.aserto.com:8443"
api-key: "<your-directory-read-write-api-key>"
tenant-id: "<your-tenant-id>"

For more information on how to use ds-load, and how to fine-tune your transformations from LDAP objects into Aserto users and groups, refer to the ds-load LDAP documentation, or join our community Slack.

Happy hacking!