Active Directory LDAP

The Active Directory LDAP plugin for InsightConnect generally supports:

  • User account creation, password reset, enablement and disablement
  • Object modification and deletion
  • LDAP queries

Complete list of Active Directory LDAP Plugin Actions

To see all available actions with the Active Directory LDAP plugin, see the Documentation tab of the Extension Library.

Active Directory LDAP Connection Configuration

The Active Directory LDAP plugin requires:

  • A domain username and password
  • The fully qualified hostname or IP address of an Active Directory Domain Controller
  • The port (389 or 636) for LDAP or LDAPS (default is LDAP/port 389)

User Account Privileges and Logging

Remember your InsightConnect connection to Active Directory LDAP will inherit all privileges of the domain user account configured in the connection. Use of the least privilege model is recommended. All actions taken by this account will be logged according to your logging configuration in Active Directory.

There are several ways to create a new Active Directory LDAP connection:

  • From InsightConnect's home page, navigate to Settings > Plugins & Tools > Connections, click Add Connection, and select the Rapid7 InsightVM Cloud plugin from the Plugins list
  • From the workflow builder, add an action step, select the plugin, select an action, and click Add a New Connection in the Choose a Connection step
  • From the workflow import wizard, click Add a New Connection in the Configure Details step for the plugin

Once you've reached the connection configuration screen:

  1. Name the connection (eg, AD <username>)
  2. Choose an Orchestrator that can communicate with your AD domain controller
  3. Create a new credential, name the credential, and enter your domain user or service account username and password (alternatively, select an existing credential)
  4. Enter the fully qualified hostname or IP address for your AD domain controller (if you have multiple domain controllers, any one that your Orchestrator can communicate with will do)
  5. The default port is 389 for AD LDAP connections. If you have enabled LDAPS on your domain controller, then the port should be changed to 636 (if you're unsure, try 389 first and be sure to check your connection test after saving!)
  6. Set SSL to false for LDAP connections over port 389. Set SSL to true for LDAPS connections over port 636.
  7. In most cases, Chase Referrals should be set to true to ensure LDAP requests are completed. An LDAP Referral provides a reference to an alternate location in which an LDAP Request may be processed. In a partitioned directory, by definition, the entire directory is not always available on any one Directory Service Agent. Setting this value to true ensures your request will be routed to an Active Directory server that can process it.
  8. Click Save and check your connection to confirm it succeeds

Troubleshooting

Issues with Active Directory LDAP connections are typically related to either networking issues, where your Orchestrator cannot communicate with the domain controller, or credential issues, where the provided username and password fail to authenticate to the specified domain controller. Some common error messages and associated troubleshooting recommendations are below.

Invalid Server Address

You might receive the below error message when your Orchestrator cannot communicate with the specified host. Confirm you have the correct hostname or IP address in the connection configuration. If the issue persists, it is likely your Orchestrator cannot contact the specified domain controller host due to a networking issue. Consult your network administrator for help.

1
The service this plugin is designed for is currently unavailable. Try again later. If the issue persists, please contact support. Response was: invalid server address

Connection Reset by Peer

You might receive the below error message when the port and SSL settings in your connection are misaligned. Be sure to use port 389 (LDAP) with SSL set to false and port 636 (LDAPS) with SSL set to true.

1
The service this plugin is designed for is currently unavailable. Try again later. If the issue persists, please contact support. Response was: socket ssl wrapping error: [Errno 104] Connection reset by peer

Invalid Credentials

You might receive the below error message when your Orchestrator cannot authenticate to the domain controller with the provided username and password. Edit the credential and update the username and/or password, then retry your connection test.

1
Invalid username or password provided. Verify your username and password are correct. Response was: automatic bind not successful - invalidCredentials