Skip to main content

 

 

Cisco Defense Orchestrator

Create and Edit a Firepower Threat Defense Active Directory Realm Object

About Active Directory Realm Objects

When you create or edit an identity source object such as an AD realm object, CDO sends the configuration request to the FTD devices through the SDC. The FTD then communicates with the configured AD realm. 

Note that CDO does not read the Directory Password for AD realms that are configured through the FDM console. If you use an AD realm object that was originally created in FDM, you must manually enter the Directory Password. 

Create an Active Directory Realm Object

Use the following procedure to create an object:

  1. From the CDO navigation bar, click Objects.
  2. Click Create Object > FTD > Identity Source
  3. Enter an object name for the object.
  4. In the first part of the wizard, select Active Directory Realm as the Identity Source Type. Click Continue.
  5. Configure the basic realm properties.
  • Directory Username, Directory Password - The distinguished username and password for a user with appropriate rights to the user information you want to retrieve. For Active Directory, the user does not need elevated privileges. You can specify any user in the domain. The username must be fully qualified; for example, Administrator@example.com (not simply Administrator).

Note: The system generates ldap-login-dn and ldap-login-password from this information. For example, Administrator@example.com is translated as cn=administrator,cn=users,dc=example,dc=com. Note that cn=users is always part of this translation, so you must configure the user you specify here under the common name “users” folder.

  • Base Distinguished Name - The directory tree for searching or querying user and group information, that is, the common parent for users and groups. For example, cn=users,dc=example,dc=com.
  • AD Primary Domain - The fully qualified Active Directory domain name that the device should join. For example, example.com.
  1. Configure the directory server properties.
  • Hostname/IP Address—The hostname or IP address of the directory server. If you use an encrypted connection to the server, you must enter the fully-qualified domain name, not the IP address.

  • Port—The port number used for communications with the server. The default is 389. Use port 636 if you select LDAPS as the encryption method.

  • Encryption—To use an encrypted connection for downloading user and group information, select the desired method,STARTTLS or LDAPS. The default is None, which means that user and group information is downloaded in clear text.

    • STARTTLS negotiates the encryption method, and uses the strongest method supported by the directory server. Use port 389. This option is not supported if you use the realm for remote access VPN.

    • LDAPS requires LDAP over SSL. Use port 636.

  • Trusted CA Certificate—If you select an encryption method, upload a Certificate Authority (CA) certificate to enable a trusted connection between the system and the directory server. If you are using a certificate to authenticate, the name of the server in the certificate must match the server Hostname / IP Address. For example, if you use 10.10.10.250 as the IP address but ad.example.com in the certificate, the connection fails.

  1. (Optional) Use the Test button to validate the configuration. 
  2. (Optional) Click Add another configuration if there is an alternative hostname or encryption method. 
  3. Click Add
  4. Deploy Configuration Changes from Defense Orchestrator to FTD

Edit an Active Directory Realm Object

Note that you cannot change the Identity Source Type when editing an Identity source object. You must create a new object with the correct type. 

  1. From the CDO navigation bar, click Objects.
  2. Locate the object you want to edit by using object filters and search field.
  3. Select the object you want to edit.
  4. Click the edit icon edit.png in the Actions pane of the details panel.
  5. Edit the values in the dialog box in the same fashion that you created them in the procedures above. Expand the configuration bar listed below to edit or test the hostname/IP address or encryption information. 
  6. Click Save
  7. CDO displays the policies that will be affected by the change. Click Confirm to finalize the change to the object and any policy affected by it.
  8. Deploy Configuration Changes from Defense Orchestrator to FTD

 

Related Articles: