Attribute mapping
When you configure a server sync job, you need to map several Active Directory (AD) attributes to the required Advanced Server Access server properties. This allows Advanced Server Access to correctly identify and resolve servers within the domain.
Default attributes
By default, Advanced Server Access populates the required Active Directory attributes, but you may need to edit these attributes to match your specific configuration.
Default AD Attribute | Advanced Server Access Property | Description |
---|---|---|
dNSHostName | Host Name | Specifies the hostname used to identify a discovered server within Advanced Server Access. |
dNSHostName | Access Address | Specifies the IP address or DNS name used by the gateway to connect to a discovered server. Note: If your domain uses an internal DNS server, you must configure the gateway to resolve this name and connect to the discovered server. |
operatingSystem | Operating System | Specifies the server operating system of a discovered server. |
unset | Alternative Names | Optional. Specifies alternative hostnames or DNS entries used to resolve a discovered server. This is sometimes used to remove any cyclical connections in configurations involving bastions. |
unset | Bastion | Optional. Specifies a bastion host that Advanced Server Access clients can use to tunnel traffic to a discovered server. |
Map attributes
You can define granular access policies within projects by mapping more Active Directory attributes to Advanced Server Access labels. Each attribute is included in the LDAP query and the value is mapped to the specified Advanced Server Access label. You can't use this option to identify Security Identifiers (SIDs) or other binary-encoded information.
Label mapping has the following restrictions:
- Teams can add a maximum of 10 labels.
- If an attribute returns multiple values, only one value is mapped to the label.
- Attributes are case-sensitive and must exactly match what is returned by the LDAP query.
To map Active Directory attributes to Advanced Server Access labels, do the following:
- Open the Advanced Server Access dashboard.
- Click Connections and select an existing connection.
- Click Server Sync and select an existing job.
- Go to the Active Directory Attribute section and configure it. This is the attribute that's from the Active Directory server, which must map to the Advanced Server Access label.
- Optional. Select Is GUID?. The Is GUID? option identifies an Active Directory attribute as a Globally Unique Identifier (GUID). Due to how Active Directory encodes GUIDs in responses to LDAP queries, this option ensures that Advanced Server Access can decode and correctly map the Active Directory attribute to an Advanced Server Access label.
- Click Save & Continue.
- Optional. Follow the steps for Test a server sync job.
-
Create a group for the users that should have access to servers. Users in this group can only connect to servers with the same label. See Create a group.
-
Add a server selector to a project group.
- Go to the Groups tab.
- Click the gear icon and select Edit.
- Under Server Access, select Specific Servers.
- Select the label. The label has the following format: ad.defined ASA Label name.
- Click Update Group to save the selector.