Active Directory (LDAP)
Last updated
Was this helpful?
Last updated
Was this helpful?
Active Directory LDAP is a Directory Data Source integration. Data Source integrations are used during investigations to improve analysis and in interactive chat to help answer questions. They are optional, but enabling more tooling integrations enhances Dropzone analysis.
The Dropzone platform supports Active Directory (LDAP) to look up organizational information such as users, job titles, and devices.
Active Directory does require that you've enabled the Dropzone Connector.
To enable these integrations you will perform the following actions:
Create read-only service account
Grant the service account read access to users and computers
Determine your LDAP Base DN (Distinguished Name)
Install the credentials into your Dropzone tenant
Dropzone will use an AD service account for authenticating to your AD LDAP. Perform the following actions to create the account:
Open "Active Directory Users and Computers"
Right click on the container of your choice, such as "Users", and click New > User
Give it a first/last/full name
Give it a User Logon Name, e.g. svc-dropzone@
Record this User Logon Name for use later in the Dropzone UI where it is called "User"
Click Next
Provide a strong password and record it for use later in the Dropzone UI where it is called "Password"
Uncheck "User must change password at next login"
If you have a corporate-wide password rotation policy you should either disable it for this user, or you will want to change the password periodically in AD and update the Dropzone integration with the new password to stay within your organizational policy
Click "Next"
Click "Finish"
Next, we will grant permissions to the service account. Most customers will apply this at the top of the forest so Dropzone has the most visibility into users/devices/etc, but you may pick a lower level if you wish to limit the scope.
Open "Active Directory Users and Computers"
Click "View" from the menu bar, and make sure "Advanced Features" is selected
Right click the top of your forest and select "Properties"
Select the "Security" tab and click "Add"
Type the name of the service account you created (e.g. svc-dropzone@) and click OK to search
Highlight the service account and click "Advanced"
In the "Permissions" tab, select the service account again and click "edit"
Set read for users
Set the "Applies to" dropdown to "Descendant User Objects" so the service account can see all objects in the hierarchy
In the Permissions section, make sure "Read All Properties" is checked
In the Properties section, make sure "Read All Properties" is checked (this is further down the page)
Set read for devices
Set the "Applies to" dropdown to "Descendant Computer Objects" so the service account can see all objects in the hierarchy
In the Permissions section, make sure "Read All Properties" is checked
In the Properties section, make sure "Read All Properties" is checked (this is further down the page)
Click the "OK" button to save
Note that device querying via LDAP is not yet supported in Dropzone AI
In Active Directory Users and Computers, find the service account we created
Right click on it and select Properties
Click "Attribute Editor" in the tabs at the top
Scroll down to the "distinguishedName" field
Double click it to pop it out
Record the full value of the distinguishedName field for use later in the Dropzone UI where it is called "Distinguished Name"
Your Base DN typically is based on your domain name, with DC= between each of the domain component. For example if your domain is example.com then the Base DN is likely DC=example,DC=com.
If you do not already know your Base DN, you can find it as follows:
In Active Directory Users and Computers, find the service account you created
Right click on it and select "Properties"
Click "Attribute Editor" in the tabs at the top
Scroll down to the "Distinguished Name" field
Double click it to pop it out
Record the part that starts with DC= for use later in the Dropzone UI where it is called the "Base DN"
The Data source integration allows Dropzone AI to look up organizational information.
You'll need the following information:
Server
The IP address or name of the AD server
Distinguished Name
The User info you copied from the service account's DistinguishedName found in Active Directory
Password
The service account password you set above
Base DN
The LDAP DN of your Active Directory
To enable the Data Source integration, do the following:
Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.ai
Click System > Integrations
Click "Available"
In the Search bar, search Active Directory, then click "Configure"
Input the service account user's Distinguished name and Password
Input the Base DN fields for searches
For the server name field, use ldap:// followed by your server name or IP
Click "Test & Save" to finish
If you have any errors engage your Dropzone AI support representative.
