How to Configure Netreo to Use Active Directory (LDAP) for User Management

This feature is available for on-premises deployments only.

Once Active Directory (LDAP) is enabled, you will only be able log in to Netreo using Active Directory usernames and passwords (except for the default Netreo administrator local account). To log in to Netreo using the default administrator local account, use the username/password “omnicenter/administrator” which will indicate to Netreo that you wish to bypass Active Directory. This is useful if your active directory server is down or unreachable for some reason.

1. Log in to Netreo as a user with the SuperAdmin access level.
2. Go to the main menu and select Administration > Users > Authentication Settings to navigate to the Authentication Settings page.
3. In the TYPE field of the Authentication panel select Active Directory (LDAP) from the pull-down menu. The Active Directory configuration options become visible.
4. Select Add New Directory Server to add a new Active Directory server to Netreo.
5. In the dialog that appears:
   1. In the LDAP SERVER IP field enter the IP address of the directory serverthat you want Netreo to use (this will usually be a primary or backup domain controller in an Active Directory environment).
   2. In the DESCRIPTION field enter a description for this directory server (for example, “Primary Domain Controller”).
   3. In the PRIORITY field select either Primary or Backup from the pull-down selector.
      • Select Primary if you are only configuring a single directory server.
      • Select Backup if you are configuring a backup server for use if the primary server is unreachable.
   4. In the DOMAIN SUFFIX field enter your AD domain suffix.
      • The account suffix is required. It is typically the part of your addressing system after the “at" symbol (@), for example “@netreo.com.” It is used to look up domain users and must be correct. Consult your Active Directory administrator if you are unsure of this setting.
   5. In the BASE DN field enter your AD Base DN.
      • The Base DN is the top level of the LDAP directory tree and typically takes the form “dc=netreo,dc=com” where each section of the account suffix is identified as a separate “dc=” section. In some cases, it may differ from your account suffix. This is used to look up domain users and must be correct. Consult your Active Directory administrator if you are unsure of this setting.
   6. In the OPENLDAP field select Yes or No depending on whether or not you are using OpenLDAP.
   7. In the USER GROUP NAME enter the AD user group names to which you would like to give Netreo access.
      • These may be either “Security” or “Distribution” groups. Either will work.
      • Changes in permission levels for individual accounts within the specified group must be done in Netreo's Users Administration page.
      • You may select to forego entering a group name here, and instead specify specific AD user groups for specific Netreo access levels in the User Permission Mapping section detailed below.
   8. Select Save.
6. If your AD server uses SSL switch the USE SSL field to ON.
   • Turning on this option allows Netreo to send the authentication request over a secure SSL/TLS connection using port 636/TCP. For this option to work, an SSL certificate must be installed on your LDAP authentication server, and port 636/TCP must be open from Netreo to the server.
7. Optional: If desired, you may specify multiple AD user groups in the User Permission Mapping section for any, or all, Netreo user access levels. Enter a user group name in the entry field next to a Netreo access level for that group to be granted the access privileges of that level.
   • If groups are configured in this section, the group specified in the directory server settings above is ignored.
   • Specifying user groups in this section also causes Netreo to update a user's access level every time they log in (facilitating movement of a user from one group to another).
   • If a user belongs to more than one of the configured groups, their permissions level will be set to reflect the highest permissions level group they are assigned to.
8. Select Save.

All current users must log out and log back in again using their Active Directory credentials.