Active Directory Integration

Overview

DSPM supports the integration of Active Directory (AD) to enrich file scan results with user and group permissions. This integration enables visibility into access controls on scanned files by mapping ACLs (Access Control Lists) from on-premises file systems to users and groups retrieved from AD.

Currently, DSPM supports AD synchronization via sidecar deployments hosted in either AWS or Azure. These sidecars connect to the on-premises AD environment, retrieve directory information, and enable accurate permission mapping during data scans.

Key Capabilities

• Synchronizes users and groups from on-premises AD.
• Retrieves file system ACLs for permission visibility.
• Displays direct and inherited access details in the DSPM inventory.

Prerequisites

• An AWS or Azure account configured as a sidecar with network access to the on-premises AD environment (via VPN or other secure tunneling methods).
• Ability to launch EC2 instances (AWS) or VMs (Azure) in the sidecar account.
• Firewall rules allowing access from the sidecar to the AD server over LDAP or LDAPS (default ports: 389 for LDAP, 636 for LDAPS).
• Appropriate read permissions on the file shares to be scanned (usually via a designated AD group).

Step-by-Step Setup

Configure the Cloud Sidecar Account

Follow the instructions to onboard your cloud account:

• AWS:  Amazon Web Services (AWS) Onboarding
• Azure:  Microsoft Azure Onboarding

Ensure the cloud account has access to your on-premises AD environment, and that DSPM has access to the AWS VPC or Azure VNet that provides the necessary connectivity by following these guides:

• AWS:  AWS: Deployment using Existing Networking Resources
• Azure:  Azure Deployment Using Existing Networking Resources

Set Up Active Directory Integration in DSPM

1. In DSPM, go to Settings > Integrations.

   

2. Click Add New. In the Application list, select Active Directory.

   

3. Provide the necessary LDAP configuration:
   • Server address
   • Port (389 for LDAP, 636 for LDAPS)
   • Bind credentials
   • Base Domain
4. Select the appropriate sidecar account.
5. Click Submit. This will save the configuration and initiate automatic synchronization with your on-premises AD.

You can later edit the configuration by clicking the Edit Connection (pencil) icon.

Configure the On-Premises Connector

Refer to On-Premises Onboarding:

• Create a new on-premises connector for your Windows File Share(s) and link it to the previously configured Active Directory.
• For existing connectors, use the Edit Account option to associate the appropriate AD instance.

  Important: You can only link an Active Directory once. After linking, changes are not permitted.

  

Run a Data Scan

After configuring the on-premises connector, initiate a data scan of the Windows File Share.

Viewing Permissions

After scan completion:

1. In DSPM, go to Inventory > Data Stores.
2. Select the Data Stores tab and search for the account.
3. Click the Access tab to view details about the users and groups with permissions.

Environment Configuration

Active Directory

• Ensure the firewall allows LDAP/LDAPS access from the sidecar to AD servers.
• LDAPS is recommended for secure communication.
• If using LDAPS, a valid certificate must be installed on the AD server (see Enable LDAP over SSL).

File Share Server

• The DSPM scanning account should be granted read access to shared folders. This is typically done by:
  • Creating or using an existing AD group with read-only access (used for DLP, antivirus, etc.).
  • Adding the DSPM service user to this group.
• Ensure file shares are properly configured and accessible (e.g., the folder name matches the share name).

Troubleshooting Tips

• DFS Enabled?  If DFS (Distributed File System) is used, ensure the firewall allows access to all nodes in the DFS pool.
• AD Sync Timeout?  This is often caused by network issues. Confirm that the cloud instance (EC2 or Azure VM) can reach the on-premises AD.

What Is my Base Domain?

The Base DN (Distinguished Name) represents the root of the LDAP directory tree that you want to search. It’s derived from your AD domain name and is typically in the format:

DC=domain,DC=com

For example:

• If your AD domain is example.local, then the Base DN would be:

  DC=example,DC=local

• If your AD domain is corp.example.com, then the Base DN would be:

  DC=corp,DC=example,DC=com

How Find My Base Domain

Here are a few ways you can find your base domain:

1. Using Command Line on a Domain-Joined Machine

Open Command Prompt and run:

echo %userdomain%

This returns the NetBIOS domain name, which helps identify the domain.

Then run:

dsquery * "dc=yourdomain,dc=com" -scope base

Replace yourdomain and com with their domain components to verify the structure.

2. Using PowerShell

Get-ADDomain | Select-Object DistinguishedName

This returns the full Base DN of the current domain.