What is the Portnox LDAP Broker?

In this topic, you will learn what is the Portnox™ LDAP Broker software and how it works.

Note:
Portnox LDAP Broker was previously called Portnox Active Directory Broker (AD Broker).

Portnox LDAP Broker is a lightweight Windows service installed on a Windows server or virtual machine that can connect to the organization’s on-premises Active Directory or OpenLDAP directory. LDAP Broker is not necessary to use Portnox Cloud but it is necessary for the following purposes:

Installation requirements

LDAP Broker is only available for Microsoft Windows. If you need to use LDAP Broker functionality on other platforms, you need a virtual machine with Windows to install and run the broker. The virtual machine must be able to connect via LDAP to the domain controller.

The following are the minimum requirements for installing LDAP Broker on a Windows machine:

  • CPU: minimum: 1.4 GHz (x64 processor)
  • RAM: minimum: 8 GB, recommended: 16 GB
  • Free disk space: minimum: 1 GB
  • Connection to the internet on ports 443 and 8081
  • Connection to the corporate Active Directory or OpenLDAP
  • For AD integration: domain-joined (member of the Active Directory domain)
Warning:
The Portnox LDAP Broker should be treated as a Tier 0 asset; access should be restricted to Tier 0 admins using PAWs and governed by Tier 0 network and security policies due to its direct interaction with Active Directory and authentication processes.

Authentication

LDAP Broker authenticates with the on-premises Active Directory server using the Windows LsaLogonUser API, which simulates native Windows authentication routines. LDAP Broker does not natively support Kerberos authentication.

Two authentication modes are available:

  • Standard NTLM authentication (default): The broker negotiates NTLM authentication natively. The user account used to connect to the domain controller requires only standard read-only access to the directory. This is the recommended mode for most deployments.
  • NTLMv2-only authentication (optional): Forces the broker to use NTLMv2 and block NTLMv1, which increases authentication security. This may be required in environments where NTLMv1 is blocked for security reasons. You can enable this mode for each LDAP Broker deployment separately by going to Settings > Authentication Repositories > DIRECTORY INTEGRATION SERVICE > Directory domains > Edit > Support NTLMv2 (Experimental).
    Note:
    This mode requires additional Active Directory privileges for the user account: either membership in the Domain Admins security group, or a dedicated service account with the following permissions: DS-Replication-Get-Changes and DS-Replication-Get-Changes-All. Both options grant sensitive Active Directory privileges and should be reviewed with your AD security team before enabling.

Troubleshooting the installation

If you need help troubleshooting the installation of LDAP Broker, look for answers in the Troubleshooting section for LDAP Broker.

Multiple LDAP Broker instances

You can install any number of LDAP Broker instances on any number of machines. For domains with multiple brokers, Portnox Cloud load-balances authentication requests across all configured instances. Note that if a request is routed to a malfunctioning broker, the authentication attempt will fail.