Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Prerequisites:

If you don’t have PowerShell installed on your machine. Please This guide outlines how to automate pulling user information from Active Directory. We store the CSV onto an sFTP Server that either Zilla or you can host, and Zilla pulls the information from there. For more general information on this process, please see this documentation.

Prerequisites:

  1. Ensure that powershell is up to date and installed on your server (odds are it is). For more info, please refer to this documentation

Configuring the script for use

  1. Copy files (ADscript.ps1 and config.yaml) to a directory. cd or navigate into this directory.

    1. Create a copy of config.yaml for reference of the original configuration provided as an example

  2. Open config.yaml in a text editor

  3. Identify the distinguished name (DN) for the Domain, and decide if you will be pulling the entirety of the domain to the directory or certain Organization Units (OUs). This will be defined under the DNS section of config.yaml .

  4. If individual OUs the config yaml will need to have line for the DN of each OU, example:

    Code Block
    - OU=Sales,DC=zillasecurity,DC=com
    - OU=IT,DC=zillasecurity,DC=com
  5. Alternatively, include a single specifying the DN of the domain, example:

    Code Block-

    Ensure that you have Admin access to the Microsoft server containing your domain controller, along with admin access to Zilla.

  6. We require a service account on Active Directory with domain user access that will be used to export user data from AD.

  7. We require an SSH Public/Private RSA Key to be made. To do this:

    1. Run the following command. Do not add a passphrase to the key. This is not supported at this time:

      Code Block
      ssh-keygen -b 2048 -t rsa -f '/home/...'
    2. This will generate a public/private key in the filepath that you defined. Be sure to include the name of the key pair at the end of the filepath. If you didn’t define a path, it will be stored at /home/user_name/.ssh/ with the name id_rsa

    3. If you are using Zilla’s sFTP server, you will need to provide the public key to you Zilla Technical Contact. You can also email support@zillasecurity.com to open a ticket and request an sFTP server. Be sure to include the public key file in the request.

    4. take note of the filepath for the private key for later configuration.

  8. You will need to request an sFTP server be created by Zilla (recommended) or have your own sFTP server. You can ask your Zilla Technical Resource (Sales Engineer or Customer Success Engineer) or submit a request by emailing support@zillasecurity.com. You must provide us with the public key file for us to create this server.

Configuring Active Directory

Creating a Service Account

We require you to create a domain user account that will be used to run the AD script we use to pull users. This account also requires read/write access to the directory where the Active Directory script is being stored.

For more information on how to create users in Active Directory, please see the video below:

...

Info

Ensure that you take note of the username/password of the service account, as this will be needed for the next step of the process.

Configuring the AD Script

  1. Download the script

    View file
    nameADscript.ps1
    onto your domain controller

  2. Open the file in an editor like VS Studio, and define what Organizational Units Zilla Will Pull Accounts from. You will do this by editing the below variable:

    1. $DNs = @("DC=yourdomain,DC=com") - this variable is used to define what Organizational Units Zilla Will Pull Accounts from. For example, if my OU is zillasecurity.com, then this line would look like this: $DNs = @("DC=zillasecurity,DC=com"). You can add multiple OUs by comma separating each OU’s domain name. For example, if I had 2 OUs zillasecurity.com and zsec.io, this parameter would look like this: $DNs = @("DC=zsec,DC=io"), @("DC=zillasecurity,DC=com

       

  3. On initial use, run with SftpEnabled = false this will simplify the first tests to avoid using an SFTP server to ensure the necessary data is collected from AD. A file, directory.csv , will be created in the current directory.

Complete the below steps if ready to connect script with SFTP, otherwise continue to “Steps to run the Script”

  1. Navigate to the Zilla web UI to create the directory application

    1. From Applications, select Add Application, follow by selecting Custom Application.

      image-20240209-175820.pngImage Removed
    2. Name the directory application, and complete any other desired values.

    3. Once created, navigate to Settings > User Directory then click on Add Application.

      image-20240209-180007.pngImage Removed
    4. Select the Custom Application you recently created.

    5. Finally, navigate to Applications, search for and select the Custom Application you created and set as a directory. The Application ID is required for the sftp configuration, this is found in the URL. Copy the value and replace <application-id> in the config.yaml file.

      image-20240209-180342.pngImage Removed

       

  2. (Optional for SFTP Only) If using the Zilla SFTP server an ssh key pair will need to be created, this must be in the RSA format and can be generated by performing the following.

    Code Block
    ssh-keygen -b 2048 -t rsa

    This will run you through a few prompts to generate a private and public key pair, the private key should be placed in a secure directory. The public key will need to be shared with Zilla support to configure SFTP for authentication.

  3. Update config.yaml to specify the path of the ssh private key, SFTP username, and the SFTP server hostname.

Steps to run the Script

  1. (Optional for SFTP Only) Open PowerShell with run as administration in Windows, or a terminal window on Mac and Linux which you have launched in PowerShell by running the command pwsh, enter the below command to install Posh SSH PowerShell module for SFTP.

Code Block
Install-Module -Name Posh-SSH
  1. (Optional for SFTP Only) When prompted, Press Y to install the Posh SSH PowerShell module.

  2. Now, Enter the below command to install PowerShell module to support YAML.

Code Block
Install-Module powershell-yaml
  1. When prompted, Press Y to install the PowerShell-YAML module.

  2. Add config values to config.yaml file.

  3. Run the script by below command:

Code Block
./ADscript.ps1

Note:

Private key for SFTP authentication should be in RSA format not in OpenSSH format. You can convert the format with this command:

Code Block
ssh-keygen -m pem -f /path/to/key

Steps 1 to 6 are one time setup. Afterwards you just need to cd into that directory and execute 7th step only.

...

    1. )

  1. There are several parameters affiliated with pushing the generated export to an sFTP server:

    1. $isSftpEnabled = $false - this determines whether the CSV gets sent to an sFTP server. By default, this is turned off, and you will need to set this to $true to automate Active Directory.

    2. $sftpHost = "sftp.zillasecurity.com" - this is the hostname of the sFTP server we are sending the CSV to. If you are sending it to an sFTP server hosted by Zilla, then the default value (sftp.zillasecurity.com) can be left. If you are hosting this on your own sFTP server, then change the value to the hostname on your server.

    3. $sftpUsername = "<your domain.com>" - this is the username of the service account that will need to be created on your sFTP server. If you are using Zilla, the value for this will be the domain that is affiliated with your tenant. You can view this inside of Zilla by logging in as an admin, going to the settings on the left hand side panel, and looking at the first domain inside of your internal domains

      image-20240404-234830.pngImage Added
    4. $applicationId = "<application-id>" - the application ID can be found by navigating to your active directory application inside of Zilla:

      image-20240404-235104.pngImage Added

      and copying the string that appears inside of the URL:

      image-20240404-235224.pngImage Added
    5. $sftpPrivateKeyPath = "<location of your private key>" - this is the full filepath and filename where you have stored your SSH Private Key. For example if you stored the private key called private-key.pem in the filepath /Users/mpalella/Desktop, then the value for this parameter will be /Users/mpalella/Desktop/private-key.pem

    6. $Csvfile = "$path\directory.csv" - you can use this setting to change the name of the CSV file that is generated. You can leave this as is

  2. Once the script is configured, use task scheduler to automate the running of the above script using the service account you’ve created in the Creating a Service Account step. This guide goes through how to accomplish this.

Zilla Configuration

  1. add an on-prem AD Application inside of Zilla. To do this, login to Zilla as an admin, select Add Application, then search for On-Prem AD and add it as an app.

...

  1. Manually generate a CSV export using the script in Configuring the AD Script.

  2. Select Sync Now, and import the CSV one time into Zilla. We have auto-mapped this already so you will just need to select import once uploaded:

image-20240416-165545.pngImage Added

image-20240416-165914.pngImage Added

  1. Once you’ve successfully imported the CSV, select the gear icon inside of the application:

...

  1. Enable the Accounts & Permissions CSV File Upload section, then toggle on Use sFTP to automate CSV import.

...

  1. Fill out the attributes in the form.

    1. If you are using Zilla’s sFTP Server, then the values should be the following:

      1. Host: sftp.zillasecurity.com

      2. Port: 22

      3. Username: your zilla tenant’s domain. You can find this inside of the global settings of your zilla tenant. It will be the first domain listed under Your Domains. In the screenshot below, my sFTP username would be mp.access-ventures.com

        image-20240416-160838.pngImage Added
      4. File Path: This is the name of the CSV file you are generating. Example would be directory.csv

      5. Password: The Private Key value generated. See step 5 in the requirements section for more information

    2. If you are using your own sFTP Server, then you will need to setup SSH Key-based authentication (see this guide for more info on how to do this) and add the public key you generated to your authorized_keys directory. You will also need to create a service account for zilla to use. Once this is done, the values in Zilla will be:

      1. Host: the hostname of your sFTP server

      2. Port: 22

      3. Username: the username of the service account you created.

      4. File Path: This is the path corresponding to where the CSV file is stored. For example if you stored the file directory.csv in /sftp/zilla on your sFTP server, then the value here would be sftp/zilla/directory.csv

      5. Password: The Private Key value generated. See step 5 in the requirements section for more information

Info

Do not include the BEGIN and END OPENSSH PRIVATE KEY headers in the password. It should only be the raw string in between.

...

  1. Select Sync Now to kickoff the automated syncs.

Help:

Having trouble? Please refer to this documentation