Overview
It's possible to sync your directory users as targets in PhishingBox if your organization utilizes an LDAP server. LDAP configurations vary from organization to organization, so you may have to consult with your organization's Information Technology team to configure an LDAP user with the proper read permissions and set the LDAP server's security configuration to allow PhishingBox to connect.
Use the links below to jump to a section:
- Integrating an account with an LDAP server
- Integrating a group with an LDAP server
- Field mappings
- Troubleshooting
NOTE: Google Workspace LDAP service requires certificate authentication, which is not currently supported by PhishingBox. In order to connect the PhishingBox LDAP client to a Google Workspace LDAP service, you must use Stunnel as a proxy which will allow username/password authentication. See the following articles for more information.
Integrating an account with an LDAP server
If you only need to sync in users from one LDAP server, it's recommended to configure the integration in the Integration Store (if you need to configure multiple LDAP servers, see the Integrating a group with an LDAP server section). To get started integrating an account with an LDAP server, navigate to Administration > Integration Store in the PhishingBox portal.
- Under the card containing the LDAP logo, click the "Setup" button.
- (Optional) set the "Active" switch to "YES". Turning this on will result in the following:
- A sync will be queued immediately after saving (this will take ~5 mins for the sync to take place). The time it takes for users to sync in as targets can vary depending on the amount our users being synced in.
- When the sync is finished, an
integration_sync_finished
email will be sent to the Account Manager Email (set on the Notifications tab on the Account Settings page).
- You will need the following information to connect to the LDAP server:
- Host - The server's IP address or domain.
- Port - An open port with which to connect to the server (389 and 636 are the default ports for LDAP and LDAPS, respectively). Your LDAP server must accept traffic from 54.80.160.189 and 54.161.73.139 for US clients, or 54.93.55.235 and 52.29.89.35 for EU clients.
- Bind User - An LDAP username that has permission to read the directory.
- Password - The password to the Bind User.
- Base DN - The base DN of the server.
- Secure Connection - The type of security protocol used to connect to the server.
- Directory type - Select OpenLDAP, Active Directory, or FreeIPA.
- Sync By - Select to sync by Group, OU or Base
- Click the "Test" button to connect to the server. If a successful connection is made and you chose to sync by group or OU, the server's groups/OUs will be displayed in a multi-select menu. If you have over 250 groups/OUs, you will be presented a text field where you can search for groups/OUs to pull in.
- Select the groups/OUs you wish to sync.
- Click "Save" to save the configuration.
NOTE: Make sure you select the correct sync type before saving! After saving, you will have to contact support to reconfigure the sync.
If the 'Active' switch is set to 'Yes' the sync will be queued. One Portal group will be created for every group or OU you chose to sync having the same name and containing all the users from the respective group or OU. If you chose to sync by Base, a single group will be created containing all users in the LDAP server named "Base".
If you did not set the "Active" switch to 'YES', commence the sync by clicking the "Run Sync" link, located in the integration card's drop-down menu. This will queue the sync. You can view the results of the last time the integration was synced by clicking on "Last Sync Logs" in the drop-down. When the sync is finished, an integration_sync_finished
email will be sent to the Account Manager Email (set on the Notifications tab on the Account Settings page).
Integrating a group with an LDAP server
To import from LDAP to a single group you will need to create a new group through the Add Group page, or you can edit an existing group and add the integration.
- Provide a name for the group
- Click on the Third-Party Integration tab and choose "LDAP" from the Import Type dropdown menu.
- Configure the required fields. The form fields presented for a group-level sync are identical to the fields presented in section: Integrating an account with an LDAP server.
- Click the "Test Configuration" button. Configuration. If a connection is made, the number of users found in the base DN will be displayed in the Group Targets box. Additionally, options on how you want to pull users will be displayed. You can either select the users from the base DN, a specific group, or a specific OU. If there are connection errors, they will be displayed here.
Field mappings
LDAP field mappings are listed in the table below.
Target Field | LDAP Field |
last_name | sn |
first_name | givenName |
title | title |
company | company |
department | department |
manager | manager |
zip | postalCode |
address_one | streetAddress |
phone_business | telephoneNumber |
Troubleshooting
Can't contact LDAP server
The PhishingBox portal server cannot find the LDAP host. Ensure that the given LDAP server port is open to traffic from 54.80.160.189 and 54.161.73.139 for US clients, or 54.93.55.235 and 52.29.89.35 for EU clients.
Cannot authenticate
If the LDAP interface throws authentication errors, try using the distinguished name of the LDAP bind user in the bind user field.
Comments
0 comments
Please sign in to leave a comment.