Skip to content

LDAP / LDAP-S

This topic covers how you can configure the Privacera Platform to attach and import users and groups defined in an external Active Directory (AD), LDAP, or LDAPS (LDAP over SSL)) directory as data access users and groups.

Prerequisites

Before starting these steps, prepare the following. You need to configure various Privacera properties with these values, as detailed in Configuration.

Determine the following LDAP values:

  • The FQDN and protocol (http or https) of your LDAP server
  • DN
  • Complete Bind DN
  • Bind DN password
  • Top-level search base
  • User search base

To configure an SSL-enabled LDAP-S server, Privacera requires an SSL certificate. You have these alternatives:

  • Set the Privacera property USERSYNC_SYNC_LDAP_SSL_ENABLED: "true".
  • Allow Privacera Manager to download and create the certificate based on the LDAP-S server URL. Set the Privacera property USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS: "true".
  • Manually configure a truststore on the Privacera server that contains the certificate of the LDAP-S server. Set the Privacera property USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS: "false".

Configuration

  1. SSH to instance as ${USER}.

  2. Run the following commands. See Access Manager LDAP-related properties and descriptions.

    USERSYNC_SYNC_LDAP_URL: "<PLEASE_CHANGE>"
USERSYNC_SYNC_LDAP_BIND_DN: "<PLEASE_CHANGE>"
USERSYNC_SYNC_LDAP_BIND_PASSWORD: "<PLEASE_CHANGE>"
USERSYNC_SYNC_LDAP_SEARCH_BASE: "<PLEASE_CHANGE>"
USERSYNC_SYNC_LDAP_USER_SEARCH_BASE: "<PLEASE_CHANGE>"
USERSYNC_SYNC_LDAP_SSL_ENABLED: "true"
USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS: "true"

  3. Run Privacera Manager update.

    cd ~/privacera/privacera-manager
./privacera-manager.sh update

Configuration Properties

Property Description Example
USERSYNC_SYNC_LDAP_URL  

 "ldap://dir.ldap.us:389" (when NonSSL)

or

"ldaps://dir.ldap.us:636" (when SSL)
USERSYNC_SYNC_LDAP_BIND_DN   CN=Bind User,OU=example,DC=ad,DC=example,DC=com
USERSYNC_SYNC_LDAP_BIND_PASSWORD    
USERSYNC_SYNC_LDAP_SEARCH_BASE   OU=example,DC=ad,DC=example,DC=com
USERSYNC_SYNC_LDAP_USER_SEARCH_BASE  
USERSYNC_SYNC_LDAP_SSL_ENABLED Set this to true if SSL is enabled on the LDAP server. true
USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS

Set this to true if you want Privacera Manager to generate the truststore certificate.

Set this to false if you want to manually provide the truststore certificate. To learn how to upload SSL certificates, [click here](../pm-ig/upload_custom_cert.md).

 true