Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure Custom Attributes Using LDAP

  1. Last updated
  2. Save as PDF
Limited Availability: To access User Unification, contact Skyhigh Support.

 

Before configuring custom attributes using LDAP, make sure the prerequisites are met. 

Lightweight Directory Access Protocol (LDAP)

LDAP is a protocol used to access and manage directory services over a network. LDAP is one of the data sources used to configure custom attributes. The Cloud Connector extracts and collects directory service data from the LDAP to facilitate threat investigation and analyze user activities across your organization. In the Cloud Connector, a user with different identities can be mapped to any primary key, such as their Email ID, Employee ID, etc. Skyhigh recommends using a Global Unique Identifier (GUID) to map a user’s attributes and identifiers to the primary key. The Skyhigh CASB will ingest LDAP data using the specified primary key. This allows Skyhigh to track the user with distinct identities.

Configure Custom Attributes using LDAP

To configure Custom Attributes using LDAP, perform the following steps:

  1. Go to Settings > Integrations > Directory Service.

    Navigate_DirectoryService.png
     
  2. Turn on the Directory Service toggle button.  
  3. Click Add Source to add a data source.

    Click_Addsource.png

    The screen below only appears if you have configured a Cloud Connector. To proceed to add another Cloud Connector, click Add Source

    Add_Source_Multi CC.png
     
  4. On the Data Source page, select LDAP.
  5. From the menu, select a Cloud Connector. The menu displays Cloud Connectors only with versions 6.9.2 and above.

    DataSource_Select LDAP.png
     
  6. If the selected connector is inactive, an Inactive Connector dialog appears. Activate your Cloud Connector, and then click Ok.

    clipboard_e11ae295506946dcc0133243ecb33e9e8.png
     
  7. Fill in the details related to your LDAP, and then click Next:

    DataSource_Select Next.png
Field Description
Name Enter the custom attribute configuration name.
IP or Host Enter the LDAP IP address or hostname.
Port Enter the LDAP port number. 
UserName Enter the LDAP username. 
Password Enter the LDAP password. 
Base DN Enter the LDAP path/folder.
Filter Enter the LDAP filter regex. 
Enable LDAP SSL Settings

Select Yes to enable secure LDAP. Select No to disable. 

  • Trust Store Path. Enter the SSL settings path.
  • Trust Store Password. Enter the SSL settings password. 
  1. On the Evaluate Attributes page, review the default attributes list to make sure all the required attributes are available.

    If an attribute is missing, add it to the Default Attributes to be Synced field, and then click Update. If attribute values are not as expected, you can delete the entries from the Default Attributes to be Synced field and click Update.

    8th - LDAP.png
  2. Click the column header to set up the virtual attribute value, and then enter:
  • Regex Match key. 
  • Regex Replace key.
  • Check to extract the common name before applying the regular expression matches. If this checkbox is enabled, the code extracts the common name before the regular expression match is performed. If the input string is not a canonical name, the value is not modified.

    Regex_Dialog.png
  1. Click Save.
  2. Click Next.
  3. On the Custom Attributes page, fill in the required fields, and then click Check:
    If you have configured a Cloud Connector and added another Cloud Connector, the identifiers and custom attributes are auto-populated from the previous configuration.

    10th - LDAP.png
Field Description
Select Primary Key Select any primary key, such as user Email ID, Employee ID, etc. Skyhigh recommends using a Global Unique Identifier (GUID) to map a user’s attributes and identifiers to the primary key. 
Define Identifiers Select the identifiers for Shadow or Sanctioned services from the menu. Click Add more to configure additional identifiers. You can configure a maximum of four identifiers.
User Default Display Name Sets the display name that appears on the Users page.
Configure User Details

Select additional attributes, and enter Custom Display Names. Click Add more to configure additional attributes. Click Select Product to select Shadow or Sanctioned services.

NOTE: For Shadow services, you can add a maximum of 5 attributes, and for Sanctioned services, you can add a maximum of 25 attributes.
Upload Frequency Select the upload frequency in hours from the menu. The default value is set to 24 hours.
  1. Review the configurations, and then click Sync.

    Review_ClickSync.png

You will be redirected to the Directory Service page. This page consists of the two tabs below and the Actions menu:

  • Directory Service Status. Lists the configured sources and the details associated with each source, such as the Last Sync time stamp and the number of Ingested Users.
  • Source Details. The selected source lists the User Attributes and Sync Logs.

To know details about the Directory Service Status and Source Details tabs, see User Ingestion Details on Directory Service.

  • Actions.
    • Sync. Upload LDAP users to Skyhigh CASB.
    • Edit. Edit the selected directory service configuration.
    • Delete. Delete the selected directory service configuration.

11th - LDAP.png

After completing the configurations, the Cloud Connector starts ingesting the user attribute data.

NOTE: On the Custom Attributes page, when you change or remove the configured identifiers or custom attributes that are part of any User Group or Data Jurisdiction, an error message appears. Review the configuration before synchronizing the directory.

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-to
  2. Tags
    1. Topic ID 823