Edit your AD/OpenLDAP integration

In this topic, you will learn how to edit your Portnox™ Cloud integration with local Active Directory or OpenLDAP. You will also learn about the meaning of additional options for this integration.

Before you begin, you must have a working integration with a local Active Directory or OpenLDAP instance:

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand menu, click on the AUTHENTICATION REPOSITORIES tile.

  3. In the right-hand side pane, find and click on the DIRECTORY INTEGRATION SERVICE heading.

    The browser displays the configurations of your local Active Directory and/or OpenLDAP integrations under the DIRECTORY INTEGRATION SERVICE heading and description.

  4. Click on the links on the right-hand side of the selected domain entry to perform the following actions:

    • Click on the Sync link to synchronize Portnox Cloud with the directory.

    • Click on the Edit link to edit the domain configuration.

    • Click on the Remove link to completely remove the domain configuration.

  5. If you clicked on the Edit link, change the settings as required.

    Most settings were entered when you created the local Active Directory or OpenLDAP directory integration. In this topic, we explain the additional options.

    • If you want to allow life cycle synchronization, click on the Allow life cycle synchronization checkbox to activate it.

      Life cycle synchronization means that Portnox Cloud will react to changes in the directory. For example, if this setting is on, and if you disable or delete an Active Directory or OpenLDAP user, all the devices associated with this user will be unregistered from Cloud. If this setting is off, you will have to unregister devices manually or wait until the retention period expires. By default, life cycle synchronization is on.

    • If you want to turn on mapping based on organizational units, click on the Use OU-based mapping checkbox to activate it.

      If this setting is on, whenever you select Active Directory or OpenLDAP groups in Portnox Cloud, you will also have a list of organizational units to select from. If you select entries both from groups and organizational units, and some users are in both the selected groups and organizational units, when onboarding the user, Portnox Cloud will prioritize the authorization details of the group over those of the organizational unit.

    • (Active Directory only) If you want to authenticate devices using the NTLMv2 protocol only, click on the Support NTLMv2 (Experimental) checkbox to activate it.

      Important: If you want to use NTLMv2 only and block NTLMv1 for security reasons, make sure that the user account for the Portnox Active Directory Broker, which is used to connect to the domain controller, is a member of the Domain Admins security group, and has the following minimum permissions: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All. Otherwise, the Directory Broker will be unable to verify the password hash, and all NTLMv2 authentication attempts will fail.
  6. Click on the Save button to save your changes or click on the Cancel button to abandon all changes.

    After you click on one of the buttons, Portnox Cloud will exit the edit mode.