# Active Directory (LDAP) ## Active Directory LDAP {% hint style="info" %} Active Directory LDAP is a Directory Data Source integration. Data Source integrations are used during investigations to improve analysis and in interactive chat to help answer questions. They are optional, but enabling more tooling integrations enhances Dropzone analysis. {% endhint %} The Dropzone platform supports Active Directory (LDAP) to look up organizational information such as users, job titles, and devices. Active Directory does require that you've enabled the [Dropzone Connector](https://gitlab.com/dropzone-ai/docs-gitbook/-/blob/main/docs.dropzone.ai/docs/overview/connector.md). ### Integration Overview To enable these integrations you will perform the following actions: * Create a read-only service account * Grant the service account read access to users and computers * Determine your LDAP Base DN (Distinguished Name) * Install the credentials into your Dropzone tenant ### Create a Read Only Service Account Dropzone will use an AD service account for authenticating to your AD LDAP. To create a Read Only Service Account, do the following: * Open "Active Directory Users and Computers"

Open Active Directory Users and Computers

* Right click on the container of your choice, such as "Users", and click New > User

* Give it a first/last/full name * Give it a User Logon Name, such as *svc-dropzone@*

* Record this User Logon Name for use later in the Dropzone UI where it is called "User" * Click Next * Provide a strong password and record it for use later in the Dropzone UI where it is called "Password" * Uncheck "User must change password at next login"

{% hint style="info" %} If you have a corporate-wide password rotation policy you should either disable it for this user, or you will want to change the password periodically in AD and update the Dropzone integration with the new password to stay within your organizational policy {% endhint %} * Click "Next" * Click "Finish" ### Apply Active Directory Permissions to the Service Account Next, we will grant permissions to the service account. Most customers will apply this at the top of the forest so Dropzone has the most visibility into users/devices/etc, but you may pick a lower level if you wish to limit the scope. * Open "Active Directory Users and Computers" * Click "View" from the menu bar, and make sure "Advanced Features" is selected * Right click the top of your forest and select "Properties" * Select the "Security" tab and click "Add" * Type the name of the service account you created (e.g. *svc-dropzone@*) and click OK to search

Granting Permissions to the Service Account

* Highlight the service account and click "Advanced"

Permissions to the Service Account (Continued)

* In the "Permissions" tab, select the service account again and click "edit"

* Set read for users * Set the "Applies to" dropdown to "Descendant User Objects" so the service account can see all objects in the hierarchy * In the Permissions section, make sure "Read All Properties" is checked * In the Properties section, make sure "Read All Properties" is checked (this is further down the page)

* Set read for devices * Set the "Applies to" dropdown to "Descendant Computer Objects" so the service account can see all objects in the hierarchy * In the Permissions section, make sure "Read All Properties" is checked * In the Properties section, make sure "Read All Properties" is checked (this is further down the page) * Click the "OK" button to save

{% hint style="info" %} Note that device querying via LDAP is not yet supported in Dropzone AI {% endhint %} ## Determine The Service Account User Name * In Active Directory Users and Computers, find the service account just created * Right click on it and select Properties

* Click "Attribute Editor" in the tabs at the top * Scroll down to the "distinguishedName" field

* Double click it to pop it out * Record the full value of the distinguishedName field for use later in the Dropzone UI where it is called "Distinguished Name"

## Determine your LDAP Base DN (Distinguished Name) Your Base DN typically is based on your domain name, with `DC=` between each of the domain component. For example if your domain is *example.com* then the Base DN is likely `DC=example,DC=com`. If you do not already know your Base DN, you can find it as follows: * In Active Directory Users and Computers, find the service account you created * Right click on it and select "Properties"

* Click "Attribute Editor" in the tabs at the top * Scroll down to the "Distinguished Name" field

* Double click it to pop it out * Record the part that starts with `DC=` for use later in the Dropzone UI where it is called the "Base DN"

## Enable Active Directory LDAP The Data source integration allows Dropzone AI to look up organizational information. To enable the Data Source integration, you will need the following information: | Dropzone Field | Source | | ------------------ | ------------------------------------------------------------------------------------------------------ | | Server | The IP address or name of the AD server, in the format of `ldap://` followed by your server name or IP | | Distinguished Name | The User info you copied from the service account's `DistinguishedName` found in Active Directory | | Password | The service account password you set above | | Base DN | The LDAP DN of your Active Directory | To enable the Data Source integration, do the following: * Navigate to your Dropzone AI tenant home page e.g. https\://*mycompany*.dropzone.app * In the bottom left hand corner, click Settings > Integrations

* Click "Available"

* In the Search bar, search Active Directory, then click "Configure"

* If your Active Directory integration is behind an [On-premise Dropzone Connector](https://docs.dropzone.ai/platform/settings/connector), select your connector from the dropdown * Input the Base DN fields for searches * Input the service account user's Distinguished name and Password * Input the server * Click "Test & Save" to finish

The Active Directory Data Source Configuration

If you have any errors engage your Dropzone AI support representative.