Documentation

Active Directory

Connect your Active Directory server to use Opal to manage and review access.

Suggest Edits

Want to set up Opal to manage access to your Active Directory server? We have you covered.

Opal's integration with Active Directory supports the following, and more:

  • Users can request time-bounded access to your AD groups.
  • Auditors can initiate access reviews that assign managers or group admins to periodically review users with long-lived access to AD groups.
  • Admins can add resources from other Opal integrations to an AD group so an AD group's members can automatically gain birthright access to, for example, a GitHub repo, AWS IAM role, etc.
  • All access changes are tracked in a permanent audit log that can be logged to a Slack channel or be exported to your favorite tools.

Getting Started

Create an Active Directory app

To get started, go to the Apps page, click + at the top right, and click New app. Then, click on the Active Directory tile.

2312

You will see a form to be completed. Opal requires the following credentials in order to manage access to your AD groups.

Step 1 - Configure an Active Directory service account for Opal

In order for Opal to manage your Active Directory server on your behalf, we'll need you to create an Active Directory service account for your server with proper permission scopes.

  • Connect to a Domain Controller or to a computer with Active Directory Remote Server Administration Tools installed.
  • Click Start, type "dsa.msc", then press Enter.
  • Navigate to the Organizational Unit where the Opal Service Account will be located.
  • Right-click the Organizational Unit, select New > User.
  • Optional: Type "Opal" into the First Name field and "Service Account" into the Last Name field.
  • Type "OpalServiceAccount" into the User logon name field. Click Next.
  • Configure a password based on your organization's password policy requirements, uncheck the User must change password at next logon checkbox, and check the Password never expires checkbox. Click Next. Click Finish.
  • Double click on the newly created service account user. On the Member Of tab, add the Domain Admins group (or if you're using AWS Managed AD, then add AWS Delegated Administrators instead). Then save the account and click OK.

Step 2 - Fill out Opal form

Back in the Create App form, fill in details about your Active Directory server and service account:

  • Server hostname and Server port, you must input the hostname and port of your Domain Controller.
    • Please ensure your AD hostname is reachable from the instance that is hosting the Opal app.
  • Base distinguished name, you should entered the Distinguished Name (DN) of the OU that Opal should begin directory searches from.
  • Root username and Root password, you should enter the credentials of the AD service account that you created above.

If this step is successful, you have completed setting up the Active Directory server connection.

Updated over 1 year ago

What’s Next