ExtraHop 8.8 ExtraHop Trace Admin UI Guide
33
•
Whole subtree:
This option looks recursively under the group DN for matching users.
•
Single level:
This option looks for users that exist in the base DN only; not any subtrees.
6. (Optional) Import user groups. Select the
Import user groups from LDAP server
checkbox and
configure the following settings.
Note:
Importing LDAP user groups enables you to share dashboards with those groups. The
imported groups appear on the User Group page in the Administration settings.
a) Type the base DN in the Base DN field. The Base DN is the point from where a server will search
for user groups. The base DN must contain all user groups that will have access to the ExtraHop
system. The user groups can be direct members of the base DN or nested within an OU within the
base DN if the
Whole Subtree
option is selected for the Search Scope specified below.
b) Type a search filter in the Search Filter field. Search filters enable you to define search criteria
when searching the LDAP directory for user groups.
Important:
For group search filters, the ExtraHop system implicitly filters on the
objectclass=group, and so objectclass=group should not be added to this filter.
c) From the Search Scope drop-down list, select one of the following options. Search scope specifies
the scope of the directory search when looking for user group entities.
•
Whole subtree:
This option looks recursively under the base DN for matching user groups.
•
Single level:
This option looks for user groups that exist in the base DN; not any subtrees.
7. Click
Test Settings
. If the test succeeds, a status message appears near the bottom of the page. If the
test fails, click
Show details
to see a list of errors. You must resolve any errors before you continue.
8. Click
Save and Continue
.
Next steps
Configure user privileges for remote authentication
Configure user privileges for remote authentication
You can assign user privileges to individual users on your ExtraHop system or configure and manage
privileges through your LDAP server.
When assigning user privileges through LDAP, you must complete at least one of the available user
privilege fields. These fields require groups (not organizational units) that are pre-specified on your LDAP
server. A user account with access must be a direct member of a specified group. User accounts that
are not a member of a group specified above will not have access. Groups that are not present are not
authenticated on the ExtraHop system.
The ExtraHop system supports both Active Directory and POSIX group memberships. For Active
Directory,
memberOf
is supported. For POSIX,
memberuid
,
posixGroups
,
groupofNames
, and
groupofuniqueNames
are supported.
1. Choose one of the following options from the Privilege assignment options drop-down list:
•
Obtain privileges level from remote server
This option assigns privileges through your remote authentication server. You must complete at
least one of the following distinguished name (DN) fields.
•
Unlimited DN:
Create and modify all objects and settings on the ExtraHop system, including
Administration settings.
•
Full Write DN:
Create and modify objects on the ExtraHop system, not including Administration
settings.
•
Limited Write DN:
Create, modify, and share dashboards.
•
Personal Write DN:
Create personal dashboards and modify dashboards shared with the logged-
in user.
•
Full read-only DN:
View objects in the ExtraHop system.
Содержание Trace Admin UI
Страница 1: ...ExtraHop 8 8 ExtraHop Trace Admin UI Guide...
