UPDATE 9/5/18: If you are running Scrutinizer version 17.x or above, please refer to the updated blog on LDAP authentication.

In the past we’ve had a lot of customers who’ve asked for LDAP authentication for user accounts and it’s now available with the release of Scrutinizer v7.6. To simplify the process we’ve created an LDAP wizard to help guide you through the setup.

LDAP Setup

Before you can configure LDAP with Scrutinizer you need to be using Microsoft Active Directory, know the name or IP of your LDAP server and have an account with the following properties on your LDAP server:

a) One of the following permissions:

– Account Operators

– Administrators

– Domain Admins

– Enterprise Admins

b) WMI Read access to \root\directory\LDAP\

– Account Operators also need to be a member of “Distributed COM users” for remote WMI access

LDAP Configuration

Once the binding account is setup it’s time to run the LDAP configuration wizard. To do this, open up a command prompt on the Scrutinizer server and navigate to the [homedir]\Scrutinizer\bin\ directory and run “scrut_util -ldapwizard” and follow the on screen instructions.

Here is an example setup:

Scrutinizer LDAP wizard

Now, all of your LDAP settings have been imported into Scrutinizer and you can celebrate by logging in with your LDAP account. If you have any questions about this process please contact our technical support.

James Lawrence

James Lawrence

I currently live in Kennebunk, Maine with my wife and 3 children. When I am not working and going to school full time, I enjoy fishing, camping, and playing video games with my oldest son. I do enjoy working outside and gardening is one of my favorite things to do in the seasons that allow it.

Related

8 comments on “How to configure Scrutinizer for LDAP Authentication

  1. Paul,

    Thanks for this article. I just recently updated to the latest and greatest version just for this feature. We tried configuring LDAP manually about 6 months ago with no success and I was reassured that a solution was on the way! It seems my patience paid off!

    Right after I got this setup, I went into the tool and right away everything was working as it should.

    The only warning I can provide for my peers out there is to pay close attention to the groups and how you are granting permissions. I had to make sure all of our guys knew they had to log in with thier domain credentials before I could add them as members to the appropriate groups (administrators in this case).

    Great article, and thanks alot!

    William Powley

  2. Hello,
    Thank you for the very easy to follow article.
    One quick question for you…
    Why does the user need to be a part of one of these groups
    – Account Operators
    – Administrators
    – Domain Admins
    – Enterprise Admins

    Particularly, each of these groups has WRITE permission back to AD. I would like to avoid handing out this kind of permission to a service user like this.
    Thanks

    1. Hi JC,

      I don’t recall all of the exact permissions we need to connect to an LDAP server, but these groups cover them. However, Scrutinizer doesn’t need write permissions for LDAP integration, so feel free to remove that permission.

      Thanks,
      Paul

  3. Hi Paul, when you say “these groups cover them”, by adding your LDAP service account to one of them, this is in-fact giving the LDAP account write access to AD as “JC” indicated.
    This is a concern of mine since all the Scrutinizer product needs is read access to AD (ie the standard “Users” AD group).
    Can you or someone from engineering team provide the minimum access needed for Scrutinizer instead of elevating the permissions to Account Operators or the other more elevated groups mentioned in the documentation?

  4. Hi Jason,

    I’ve escalated your question to development. When I have the permissions for minimal access, I’ll create a forum post with the LDAP permissions and post a comment with the link to it in this blog.

    Thanks,
    Paul

  5. Paul,
    I’ve searched but haven’t been able to find any further updates on the minimal security requirements for the account used for binding LDAP.

    I’ve manually configured the parameters via the GUI and the test option shows success for both binding and search, but then ends with a final result of failed. Packet capture shows successful binding and search and no further communication from test app indicating to me some failure within the host server for scrutinizer. Testing of authenticating via the GUI fails and does not generate any traffic with the LDAP server. I suspect it is a permissions issue for the account being used, but I’d like confirmation and hopefully a solution other than providing write access to that account.

    Thanks

Comments are closed.