LDAP / LDAP-S
This topic covers how you can configure the Privacera Platform to attach and import users and groups defined in an external Active Directory (AD), LDAP, or LDAPS (LDAP over SSL)) directory as data access users and groups.
Prerequisites
Before starting these steps, prepare the following. You need to configure various Privacera properties with these values, as detailed in Configuration.
Determine the following LDAP values:
- The FQDN and protocol (http or https) of your LDAP server
- DN
- Complete Bind DN
- Bind DN password
- Top-level search base
- User search base
To configure an SSL-enabled LDAP-S server, Privacera requires an SSL certificate. You have these alternatives:
- Set the Privacera property
USERSYNC_SYNC_LDAP_SSL_ENABLED: "true"
. - Allow Privacera Manager to download and create the certificate based on the LDAP-S server URL. Set the Privacera property
USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS: "true"
. - Manually configure a truststore on the Privacera server that contains the certificate of the LDAP-S server. Set the Privacera property
USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS: "false"
.
Configuration
-
SSH to instance as ${USER}.
-
Run the following commands. See Access Manager LDAP-related properties and descriptions.
USERSYNC_SYNC_LDAP_URL: "<PLEASE_CHANGE>" USERSYNC_SYNC_LDAP_BIND_DN: "<PLEASE_CHANGE>" USERSYNC_SYNC_LDAP_BIND_PASSWORD: "<PLEASE_CHANGE>" USERSYNC_SYNC_LDAP_SEARCH_BASE: "<PLEASE_CHANGE>" USERSYNC_SYNC_LDAP_USER_SEARCH_BASE: "<PLEASE_CHANGE>" USERSYNC_SYNC_LDAP_SSL_ENABLED: "true" USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS: "true"
-
Run Privacera Manager update.
cd ~/privacera/privacera-manager ./privacera-manager.sh update
Configuration Properties
Property | Description | Example |
---|---|---|
USERSYNC_SYNC_LDAP_URL |
"ldap://dir.ldap.us:389" (when NonSSL) or "ldaps://dir.ldap.us:636" (when SSL) |
|
USERSYNC_SYNC_LDAP_BIND_DN | CN=Bind User,OU=example,DC=ad,DC=example,DC=com | |
USERSYNC_SYNC_LDAP_BIND_PASSWORD | ||
USERSYNC_SYNC_LDAP_SEARCH_BASE | OU=example,DC=ad,DC=example,DC=com | |
USERSYNC_SYNC_LDAP_USER_SEARCH_BASE | ||
USERSYNC_SYNC_LDAP_SSL_ENABLED | Set this to true if SSL is enabled on the LDAP server. | true |
USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS |
Set this to true if you want Privacera Manager to generate the truststore certificate. Set this to false if you want to manually provide the truststore certificate. To learn how to upload SSL certificates, [click here](../pm-ig/upload_custom_cert.md). |
true |