Skip to content

LDAP / LDAP-S for Privacera Portal Access

This configuration sequence configures the Privacera Portal to reference an external LDAP or LDAP over SSL directory for the purpose of Privacera Portal user login authentication.

Prerequisites

Before starting these steps, prepare the following. You need to configure various Privacera properties with these values, as detailed in Configuration.

Determine the following LDAP values:

  • The FQDN and protocol (http or https) of your LDAP server
  • Complete Bind DN
  • Bind DN password
  • Top-level search base
  • User search base
  • Group search base
  • Username attribute
  • DN attribute

To configure an SSL-enabled LDAP server, Privacera requires an SSL certificate. You have these alternatives:

  • Set the Privacera property PORTAL_LDAP_SSL_ENABLED: "true".
  • Allow Privacera Manager to download and create the certificate based on the LDAP server URL. Set the Privacera property PORTAL_LDAP_SSL_PM_GEN_TS: "true".
  • Manually configure a truststore on the Privacera server that contains the certificate of the LDAP server. Set the Privacera property PORTAL_LDAP_SSL_PM_GEN_TS: "false".

CLI Configuration

  1. SSH to the instance where Privacera is installed.

  2. Run the commands below.

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.portal.ldaps.yml config/custom-vars/
    vi config/custom-vars/vars.portal.ldaps.yml
    
  3. Uncomment the properties and edit the configurations as required. For property details and description, refer to the Configuration Properties below.

    PORTAL_LDAP_ENABLE: "true"
    PORTAL_LDAP_URL: "<PLEASE_CHANGE>"
    PORTAL_LDAP_BIND_DN: "<PLEASE_CHANGE>"
    PORTAL_LDAP_BIND_PASSWORD: "<PLEASE_CHANGE>"
    PORTAL_LDAP_SEARCH_BASE: "<PLEASE_CHANGE>"
    PORTAL_LDAP_USER_SEARCH_BASE: "<PLEASE_CHANGE>"
    PORTAL_LDAP_GROUP_SEARCH_BASE: "<PLEASE_CHANGE>"
    PORTAL_LDAP_USERNAME_ATTRIBUTE: "<PLEASE_CHANGE>"
    PORTAL_LDAP_DN_ATTRIBUTE: "<PLEASE_CHANGE>"
    PORTAL_LDAP_BIND_ANONYMOUSLY: "false"
    PORTAL_LDAP_SSL_ENABLED: "true"
    PORTAL_LDAP_SSL_PM_GEN_TS: "true"
    
  4. Run Privacera Manager update.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

Configuration Properties

Property Description Example
PORTAL_LDAP_URL Add value as "LDAP_HOST: LDAP_PORT xxx.example.com:983
PORTAL_LDAP_BIND_DN   CN=Bind User,OU=example,DC=ad,DC=example,DC=com
PORTAL_LDAP_BIND_PASSWORD Add the password for LDAP  
PORTAL_LDAP_SEARCH_BASE   ou=example,dc=ad,dc=example,dc=com
PORTAL_LDAP_USER_SEARCH_BASE   ou=example,dc=ad,dc=example,dc=com
PORTAL_LDAP_GROUP_SEARCH_BASE   OU=example_services,OU=example,DC=ad,DC=example,DC=com
PORTAL_LDAP_USERNAME_ATTRIBUTE   sAMAccountName
PORTAL_LDAP_DN_ATTRIBUTE   PORTAL_LDAP_DN_ATTRIBUTE: dc
PORTAL_LDAP_SSL_ENABLED For SSL enabled LDAP server, set this value to true. true
PORTAL_LDAP_SSL_PM_GEN_TS

Set this to true if you want Privacera Manager to generate the truststore for your ldaps server.

Set this to false if you want to manually provide the truststore certificate. To learn how to upload SSL certificates, [click here](../pm-ig/upload_custom_cert.md).

true

Map LDAP roles with the existing Privacera roles

You can associate LDAP users roles to Privacera roles using Privacera LDAP Role Mapping. It allows you to use the access control of Privacera Portal with LDAP user roles.

  1. Log in to Privacera Portal using padmin user credentials or as a user with Privacera ROLE_SYSADMIN role.

  2. Go to Settings > System Configurations.

  3. Select Custom Properties checkbox.

  4. Click on Add Property and enter the new property, auth.ldap.enabled=true.

  5. Click Save.

  6. Go to Settings > LDAP Role Mapping.

  7. Add the appropriate role mappings.

  8. When you login in back with LDAP user,  you will see the new user role. This LDAP user login can be done after the LDAP setup with Privacera Manager is completed.