LDAP
ποΈ 5. LDAP / Active Directory Required Configurationβ
π― Purposeβ
Enable interaction between the agent and Active Directory (or any LDAP server) to discover users and machines in the domain.
Save time by using our automatic installation script with a single command.
Usage steps:β
-
Download the installation script.
-
Edit the environment variables in the file to fit your network.
-
Make the script executable depending on your system:
-
Linux
chmod +x watchman-ldap-configuration.sh -
Windows
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
-
-
Run the script on each target machine in the network.
-
Done! π
π 1. Network access to the LDAP/AD serverβ
- Ensure the LDAP or Active Directory server is reachable on the network from the machine running the Watchman agent.
- Verify network permissions (firewall, VPN, possible proxy).
π 2. Open portsβ
𧱠On Linux:β
# For LDAP (unencrypted)
sudo ufw allow 389/tcp
# For LDAPS (secure LDAP)
sudo ufw allow 636/tcp
πͺ On Windows:β
-
Open Windows Defender Firewall with Advanced Security
-
Create inbound rules for:
- TCP 389 (LDAP)
- TCP 636 (LDAPS)
π It is recommended to use LDAPS (port 636) for better security.
π 3. DNS configurationβ
- Clients (Watchman agent) must be able to resolve the LDAP/AD server hostname.
- Check that the domain DNS zone is properly configured in the local network.
- Test resolution with:
nslookup <ldap_server_name>
π 4. LDAP Authentication and Settingsβ
When configuring in the agentβs Active Directory tab:
-
LDAP URL (e.g.,
ldap://ad.example.comorldaps://ad.example.com) -
Port: 389 (LDAP) or 636 (LDAPS)
-
Base DN (example:
DC=example,DC=com) -
Domain (e.g.,
example.local) -
Credentials:
- Username (e.g.,
admin@example.localorCN=admin,CN=Users,DC=example,DC=com) - Password of the authorized account
- Username (e.g.,
π₯ The account used must have read permissions on user and computer objects in the domain.
β Once configured, you can use the "Add User" and "Add Machine" options in the agentβs Active Directory tab to perform automatic imports.