Skip to main content
Oleria provides identity security and access management teams with visibility and intelligence into who has access to what, where they got that access, how they use it, and whether they should even have it. As part of that promise, we deeply integrate your Ping Directory into the Oleria platform. Follow these steps to integrate Ping Directory with your Oleria workspace

Pre-requisites:

  1. Administrator permissions on the Oleria workspace.
  2. Administrator permissions on the machine where PingDirectory will be installed.
  3. Administrative access within PingDirectory to create a user.
  4. If PingDirectory is hosted on one machine and the agent is deployed on another, it is essential to ensure that both VMs can communicate with each other without any firewall restrictions blocking the connection.

Step 1: Create a Service Account in Ping Directory

This process involves creating an LDIF file to define the new service account and its permissions, then using the ldapmodify command to apply these changes to the directory.

1.1: Create the LDIF File

An LDIF (LDAP Data Interchange Format) file is a plain text file that contains a series of instructions for adding, deleting, or modifying entries in an LDAP directory. The file you’ll create, create_readonly_user.ldif, will perform these specific functions:
  • Create the Service Account: A new user entry will be created with the UID (User ID) readonlyoleriauser and the common name Read Only User. The inetOrgPerson object class is used, which is a standard object class for representing people in an LDAP directory.
  • Assign Read-Only Access: The most critical part of this file is the ACI (Access Control Instruction). This instruction grants the readonlyoleriauser account read and search permissions on all attributes within the entire directory subtree. This is what makes the account “read-only.”
The content of the create_readonly_user.ldif file is as follows. Remember to replace <replace-with-your-base-dn> with your directory’s base distinguished name (e.g., dc=example,dc=com) and Oleria@5 with a secure password. 
# 1. Create the Service Account "readonlyoleriauser"
dn: uid=readonlyoleriauser,<replace-with-your-base-dn>
changetype: add
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
uid: readonlyoleriauser
cn: Read Only User
sn: User
userPassword: Oleria@5

# 2. Assign Read-Only Access Control Instruction (ACI)
dn: <replace-with-your-base-dn>
changetype: modify
add: aci
aci: (target="ldap:///<replace-with-your-base-dn>")(targetattr="* || +")(targetscope="subtree")(version 3.0; acl "Read access for readonlyoleriauser"; allow (read,search) userdn="ldap:///uid=readonlyoleriauser,<replace-with-your-base-dn>";)

1.2: Execute the LDAP Modify Command

After creating the LDIF file, you need to use the ldapmodify command-line tool to apply the changes to your Ping Directory instance. This tool connects to the directory using an administrative account and executes the modifications defined in your LDIF file. To execute this, open a command prompt, navigate to the bat directory inside your Ping Directory installation, and run the following command as a single line: 
ldapmodify -h <hostname> -p 636 --useSSL --trustAll -D "cn=Directory Manager" -w <password> -f <file-path>
  • <hostname>: The hostname or IP address of your Ping Directory server.
  • “cn=Directory Manager”: The DN (Distinguished Name) of the administrative user with the necessary permissions. The default administrative user is cn=Directory Manager.
  • <password>: The password for the administrative user.
  • create_readonly_user.ldif: The path to the LDIF file you just created.

Step 2: Configure Syslog-Based Forwarder

This step uses the dsconfig command-line utility to configure a syslog-based log forwarder in Ping Directory. This is crucial for forwarding directory logs to a centralized log management system, like Fluentd, for monitoring and analysis. The provided command enables a publisher named “Fluentd Syslog Access Logger” and configures it to log a wide range of operational events, including search entries, security negotiations, and client IP addresses. To execute this, open a command prompt, navigate to the Ping Directory installation’s bat directory, and run the following command as a single line: Please replace <IP-ADDRESS-OF-AGENT-MACHINE> with the IP address of the machine where the agent is running. 
dsconfig create-log-publisher --publisher-name "Fluentd Syslog Access Logger Remote" --type syslog-based-access --hostname localhost --port 389 --bindDN "cn=Directory Manager" --no-prompt --set enabled:true --set asynchronous:true --set auto-flush:true --set correlate-requests-and-results:true --set generify-message-strings-when-possible:true --set include-add-attribute-names:true --set include-connection-details-in-request-messages:true --set include-extended-search-request-details:true --set include-instance-name:true --set include-modify-attribute-names:true --set include-product-name:true --set include-replication-change-id:true --set include-request-controls:true --set include-request-details-in-intermediate-response-messages:true --set include-request-details-in-result-messages:true --set include-request-details-in-search-entry-messages:true --set include-request-details-in-search-reference-messages:true --set include-requester-dn:true --set include-requester-ip-address:true --set include-response-controls:true --set include-result-code-names:true --set include-search-entry-attribute-names:true --set include-startup-id:true --set include-thread-id:true --set log-assurance-completed:true --set log-client-certificates:true --set log-connects:true --set log-disconnects:true --set log-intermediate-responses:true --set log-requests:true --set log-results:true --set log-search-entries:true --set log-search-references:true --set log-security-negotiation:true --set suppress-internal-operations:true --set suppress-replication-operations:false --set server-host-name:<IP-ADDRESS-OF-AGENT-MACHINE> --set server-port:514 --set syslog-facility:1

Step 3: Integrate Ping Directory with your Oleria workspace

Log in to your Oleria workspace and select Workspace > Integrations → Ping Directory Provide a name for your agent and click continue. You will see a PowerShell Script with a copy option. You need to execute this script on a server where you want to install the Oleria PD Agent.

Step 4:Install Oleria PD Agent

Log in to the machine, open PowerShell with administrator privileges, and run the script downloaded from step 2.

4.1 You will see the Fluentd installation process

Accept the license terms and select Next Follow any subsequent prompts to complete the installation. Before proceeding with the agent installation, we need to update the Fluentd configuration file using the script below. This ensures that environment variables are set correctly and logs are sent to the desired location. 
####
## Fluentd Configuration File
####
<system>
  log_level debug
  <log>
    rotate_age 30
  </log>
</system>

#### SOURCES ####
<source>
  @type syslog
  port 514
  bind 0.0.0.0
  protocol_type udp
  tag ping.directory.access
</source>

#### OUTPUTS ####
<match ping.directory.access.**>
  @type file
  path "#{ENV['FLUENT_FILE_PATH']}/${tag}.logs_%Y%m%d%H%M%S.json"
  append true
  store_as json
  format json
  include_time_key true
  time_key time
  <buffer tag,time>
    @type file
    path "#{ENV['FLUENT_BUFFER_PATH']}"
    timekey "#{ENV['FLUENT_TIMEKEY']}"
    timekey_wait "#{ENV['FLUENT_TIMEKEY_WAIT']}"
    chunk_limit_size "#{ENV['FLUENT_CHUNK_LIMIT']}"
    timekey_use_utc "#{ENV['FLUENT_USE_UTC']}"
    flush_interval "#{ENV['FLUENT_FLUSH_INTERVAL']}"
    flush_at_shutdown "#{ENV['FLUENT_FLUSH_AT_SHUTDOWN']}"
  </buffer>
</match>

4.2 Oleria PD Agent installation process

Accept the license terms and select Next On the next page, provide the following.
  • Username: Provide the Service Account name created in step 1
  • Password: Provide the Service Account password
  • DomainName:: Provide your domain name. Example if your domain name is example.local, provide dc=example,dc=local
  • DomainUrl: Provide your domain controller ip address
Select Next, and follow the prompts to complete the installation.
  • Fluentd Path: Enter the path where you installed Fluentd in Step 4.1.
  • Activity Enabled Checkbox: Enable this checkbox only if Fluentd is installed and its path has been correctly provided.
Click Next and follow the remaining prompts to finalize the installation. Once the installation is completed, you will see an **OleriaPDConnectAgent service **in the services.

Step 5: Verify the Ping Directory status from the connected applications

Log in to your workspace → connected integrations → Ping Directory → select View Details to open the  side pane to view the agent health status.

Contact us

For questions about this integration, please contact us at support@oleria.com.