Active Directory (LDAP)

Active Directory LDAP

Active Directory LDAP is a Directory Data Source integration. Data Source integrations are used during investigations to improve analysis and in interactive chat to help answer questions. They are optional, but enabling more tooling integrations enhances Dropzone analysis.

The Dropzone platform supports Active Directory (LDAP) to look up organizational information such as users, job titles, and devices.

Active Directory does require that you've enabled the Dropzone Connector.

Integration Overview

To enable these integrations you will perform the following actions:

  • Create a read-only service account

  • Grant the service account read access to users and computers

  • Determine your LDAP Base DN (Distinguished Name)

  • Install the credentials into your Dropzone tenant

Create a Read Only Service Account

Dropzone will use an AD service account for authenticating to your AD LDAP. To create a Read Only Service Account, do the following:

  • Open "Active Directory Users and Computers"

Open Active Directory Users and Computers
  • Right click on the container of your choice, such as "Users", and click New > User

Right Click New User
  • Give it a first/last/full name

  • Give it a User Logon Name, such as svc-dropzone@

New User Details
  • Record this User Logon Name for use later in the Dropzone UI where it is called "User"

  • Click Next

  • Provide a strong password and record it for use later in the Dropzone UI where it is called "Password"

  • Uncheck "User must change password at next login"

Password Settings

If you have a corporate-wide password rotation policy you should either disable it for this user, or you will want to change the password periodically in AD and update the Dropzone integration with the new password to stay within your organizational policy

  • Click "Next"

  • Click "Finish"

Apply Active Directory Permissions to the Service Account

Next, we will grant permissions to the service account. Most customers will apply this at the top of the forest so Dropzone has the most visibility into users/devices/etc, but you may pick a lower level if you wish to limit the scope.

  • Open "Active Directory Users and Computers"

  • Click "View" from the menu bar, and make sure "Advanced Features" is selected

  • Right click the top of your forest and select "Properties"

  • Select the "Security" tab and click "Add"

  • Type the name of the service account you created (e.g. svc-dropzone@) and click OK to search

Granting Permissions to the Service Account
  • Highlight the service account and click "Advanced"

Permissions to the Service Account (Continued)
  • In the "Permissions" tab, select the service account again and click "edit"

Permissions to the Service Account (Continued)
  • Set read for users

    • Set the "Applies to" dropdown to "Descendant User Objects" so the service account can see all objects in the hierarchy

    • In the Permissions section, make sure "Read All Properties" is checked

    • In the Properties section, make sure "Read All Properties" is checked (this is further down the page)

User Settings
  • Set read for devices

    • Set the "Applies to" dropdown to "Descendant Computer Objects" so the service account can see all objects in the hierarchy

    • In the Permissions section, make sure "Read All Properties" is checked

    • In the Properties section, make sure "Read All Properties" is checked (this is further down the page)

  • Click the "OK" button to save

Device Settings

Note that device querying via LDAP is not yet supported in Dropzone AI

Determine The Service Account User Name

  • In Active Directory Users and Computers, find the service account just created

  • Right click on it and select Properties

The Service Account
  • Click "Attribute Editor" in the tabs at the top

  • Scroll down to the "distinguishedName" field

The distinguishedName
  • Double click it to pop it out

  • Record the full value of the distinguishedName field for use later in the Dropzone UI where it is called "Distinguished Name"

The User Distinguished Name

Determine your LDAP Base DN (Distinguished Name)

Your Base DN typically is based on your domain name, with DC= between each of the domain component. For example if your domain is example.com then the Base DN is likely DC=example,DC=com.

If you do not already know your Base DN, you can find it as follows:

  • In Active Directory Users and Computers, find the service account you created

  • Right click on it and select "Properties"

The Service Account
  • Click "Attribute Editor" in the tabs at the top

  • Scroll down to the "Distinguished Name" field

The Distinguished Name
  • Double click it to pop it out

  • Record the part that starts with DC= for use later in the Dropzone UI where it is called the "Base DN"

The Base DN

Enable Active Directory LDAP

The Data source integration allows Dropzone AI to look up organizational information.

To enable the Data Source integration, you will need the following information:

Dropzone Field
Source

Server

The IP address or name of the AD server

Distinguished Name

The User info you copied from the service account's DistinguishedName found in Active Directory

Password

The service account password you set above

Base DN

The LDAP DN of your Active Directory

To enable the Data Source integration, do the following:

  • Navigate to your Dropzone AI tenant home page e.g. https://mycompany.dropzone.app

  • In the bottom left hand corner, click Settings > Integrations

Integrations Dropdown
  • Click "Available"

Click Available
  • In the Search bar, search Active Directory, then click "Configure"

The Active Directory Data Tile
  • Input the service account user's Distinguished name and Password

  • Input the Base DN fields for searches

  • For the server name field, use ldap:// followed by your server name or IP

  • Click "Test & Save" to finish

The Active Directory Data Source Configuration

If you have any errors engage your Dropzone AI support representative.

Last updated

Was this helpful?