Enables or disables integration with Active Directory.
In Console, use the slider to enable (ON) or disable (OFF) integration with AD.
By default, integration with AD is disabled.
Twistlock can integrate with Active Directory (AD), an enterprise identity directory service.
If your AD environment uses alternative UPN suffixes (also referred to as explicit UPNs), see Non-default UPN suffixes to understand how to use them with Twistlock. |
After integrating Twistlock with AD, you can control access to Docker Engine, Docker Swarm, and Kubernetes based on AD group memberships. Note that ldap group names are case sensitive in Twistlock.
With AD integration, you can:
Re-use the identities and groups already set up in Active Directory.
Extend your organization’s access control logic to the management of Docker containers.
For example, you could specify that only members of the AD group Dev Ops Admins can start and stop containers in the production environment. For more information, see Access control for Docker Engine (RBAC).
The following configuration options are available:
Configuration option | Description | ||
---|---|---|---|
Enabled |
Enables or disables integration with Active Directory. In Console, use the slider to enable (ON) or disable (OFF) integration with AD. By default, integration with AD is disabled. |
||
URL |
Specifies the path to your LDAP server, such as an Active Directory Domain Controller. The format for the LDAP server path is: <PROTOCOL>://<HOST>:<PORT> Where <PROTOCOL> can be ldap or ldaps. For an Active Directory Global Catalog server, use ldap. For performance and redundancy, use a load balanced path. Example: ldap://ldapserver.example.com:3268 |
||
Search Base |
Specifies the search query base path for retrieving users from the directory. Example: dc=example,dc=com |
||
User identifier |
User name format when authenticating sAMAccountName = DOMAIN\sAMAccountName userPrincipalName = user@ad.example.com
|
||
Account UPN |
Console Account UPN Specifies the username for the Twistlock service account that has been set up to query Active Directory. Specify the username with the User Principal Name (UPN) format: <USERNAME>@<DOMAIN> Example: twistlock_service@example.com |
||
Account Password |
Specifies the password for the Twistlock service account. |
Integrate Active Directory after you have installed Twistlock.
Open Console, then go to Manage > Authentication > LDAP.
Set Integrate LDAP users and groups with Twistlock to Enabled.
Specify all the parameters for connecting to your Active Directory service.
For Authentication type, select Active Directory.
In Path to LDAP service, specify the path to your LDAP server.
For example: ldap://ldapserver.example.com:3268
In Search Base, specify the base path to the subtree that contains your users.
For example: dc=example,dc=com
In Service Account UPN and Service Account Password, specify the credentials for your service account.
Specify the username in UPN format: <USERNAME>@<DOMAIN>
For example, the account UPN format would be: twistlock_service@example.com
If you connect to Active Directory with ldaps, paste your CA certificate (PEM format) in the CA Certificate field.
This enables Twistlock to validate the LDAPS certificate to prevent spoofing and man- in-the-middle attacks. If this field is left blank, Twistlock will not perform validation of the LDAPS certificate.
Click Save.
In order to grant authentication to users in an Active Directory group, the AD group needs to be added in Twistlock.
Navigate to Manage > Authentication > Groups and click on Add group
In the pop up window, enter the name of AD group and select LDAP group check box.
Grant a specific role to the group. Example:Admin. Note that all the members of the group will have this privilege in Twistlock.
To verify the integration with AD:
Open Console.
If you are logged into Console, log out.
At Console’s login page, enter the UPN and password of an existing Active Directory user.
If the log in is successful, you are directed to the view appropriate for the user’s role. For users with the User role, you are directed to a single page, Configure > Clients, from where you can download the certs required to access a Twistlock-protected container environment.
After integrating AD with Twistlock, you can:
Grant admin privileges to specific users or groups. For more information, see Assigning roles.
Set up policies for accessing Docker and Kubernetes. For more information, see Access control for Docker Engine.
For troubleshooting guide to OpenLDAP related issues, refer to https://docs.twistlock.com/docs/latest/troubleshooting/Active_Directory/ad.html