LDAP
LDAP connection to the CipherTrust Manager can be configured using the following:
Note
The LDAP connection available through connection manager is separate and additional to the LDAP connection available through Access Management.
Managing LDAP Connections using GUI
Server URL - URL of the LDAP server.
Bind DN - object that has permission to search on the root DN for users.
Server Bind Password - password for the Bind DN object.
Base DN - starting point an LDAP server uses when searching for users.
Search Filter for listing users - search filter to restrict the set of users who will be allowed to log on to the LDAP server.
User's login name attribute - attribute on a user object that contains the username required to log on with.
Group Base DN - starting point an LDAP server uses when searching for groups.
Search filter for listing groups - search filter to restrict the set of groups who will be allowed to log on to the LDAP server.
Group Name Attribute - attributes on a group object that contain the friendly name of the group.
User's Distinguished Name - attribute on a user object which contains the user distinguished name. For example: uid, dn.
Group id attribute for group mapping - attribute on a group object that contains the group identifier (name). This value should be unique.
User's group membership attribute - attribute on a group object that contains group membership information, basically which users are members of the group. For example: member, memberUid. This value can be left empty to disable group membership support for this connection.
Username for test (required for Test) - username required for test connection.
Password for test (required for Test) - password required for test connection.
Click the Test Credentials button to check whether the connection is configured correctly. If the test is successful, the status is OK else the status is Fail.
Click Next to move to the Add Products screen of the Add Connection wizard.
Note
Currently, the only product supported for LDAP connection is CTE.
Managing LDAP Connections using ksctl
The following operations can be performed:
Create/Get/Update/Delete an LDAP connection
List all LDAP connections
Test an existing LDAP connection
Test the new LDAP connection parameters before establishing the connection
Note
To configure an LDAP connection, the only mandatory parameters are base_dn, name, server_url, and user_login_attribute.
Creating an LDAP Connection
To create an LDAP connection, run:
Syntax
ksctl connectionmgmt ldap create --name <connection-name> --server-url <url> --bind-dn <bind-dn> --bind-password <bind-password> --base-dn <base-dn> --search-filter <user-search-filter> --user-login-attribute <user-login-attribute> --group-base-dn <group-base-dn> --group-search-filter <group-search-filter> --group-name-attribute <group-name-attribute> --group-member-field <group-member_-field> --user-dn-attribute <user-dn-attribute> -- root-ca '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----' --user-member-field <user-member_field> --group-dn-attribute <group-dn-attribute>
Currently, the following fields can only be configured through API and CLI:
user-member-field: attribute on a user object which contains user membership information, this gives details about the groups the user is a member of. For example:memberOfandgidNumber.Note: When both
user_member_fieldandgroup_member_fieldare provided in the LDAP configuration, by default theuser_member_fieldtakes precedence.group-dn-attribute: attribute on the group object which contains the group's distinguished name. When group-dn-attribute property is set, it uses the specified attribute such asdnorgidNumberto test for group equality.
Click here for the description of other fields.
Example Request 1
ksctl connectionmgmt ldap create --name "ldapConn" --server-url "ldap://172.27.0.6:389" --bind-dn "cn=admin,dc=planetexpress,dc=com" --bind-password "GoodNewsEveryone" --base-dn "dc=planetexpress,dc=com" --search-filter "(objectclass=User)" --user-login-attribute "uid" --group-base-dn "ou=people, dc=planetexpress, dc=com" --group-search-filter "(objectclass=Group)" --group-name-attribute "test1" --group-member-field "member"
Example Response 1
{
"id": "200bb517-854a-43c8-af54-7bc12cd35eb0",
"uri": "kylo:kylo:connectionmgmt:connections:ldapconn-200bb517-854a-43c8-af54-7bc12cd35eb0",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-07-28T07:48:09.151996264Z",
"updatedAt": "2022-07-28T07:48:09.150581053Z",
"service": "LDAP",
"category": "IdP",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "ldapConn",
"server_url": "ldap://172.27.0.6:389",
"insecure_skip_verify": false,
"bind_dn": "cn=admin,dc=planetexpress,dc=com",
"base_dn": "dc=planetexpress,dc=com",
"search_filter": "(objectclass=User)",
"user_login_attribute": "uid",
"group_base_dn": "ou=people, dc=planetexpress, dc=com",
"group_filter": "(objectclass=Group)",
"group_name_attribute": "test1",
"group_member_field": "member"
}
Example Request 2
ksctl connectionmgmt ldap create --name "ldapConn" --server-url "ldap://172.27.0.6:389" --bind-dn "cn=admin,dc=planetexpress,dc=com" --bind-password "GoodNewsEveryone" --base-dn "dc=planetexpress,dc=com" --search-filter "(objectclass=User)" --user-login-attribute "uid" --group-base-dn "ou=people, dc=planetexpress, dc=com" --group-search-filter "(objectclass=Group)" --group-name-attribute "test1" --group-member-field "member" --user-member-field "memberOf" --group-dn-attribute "dn"
Example Response 2
{
"id": "64517f9f-555d-4c9e-9387-a689d56bb325",
"uri": "kylo:kylo:connectionmgmt:connections:ldap-connectionnewmemberofdemo-64517f9f-555d-4c9e-9387-a689d56bb325",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2023-07-26T08:27:13.985700185Z",
"updatedAt": "2023-07-26T08:27:13.984524557Z",
"service": "LDAP",
"category": "IdP",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "LDAP ConnectionNewMemberOfDemo",
"products": [
"cte"
],
"meta": null,
"description": "LDAP Connection",
"server_url": "ldap://18.232.113.67:10389",
"insecure_skip_verify": false,
"bind_dn": "cn=admin,dc=planetexpress,dc=com",
"base_dn": "dc=planetexpress,dc=com",
"search_filter": "(objectclass=inetOrgPerson)",
"user_login_attribute": "uid",
"group_base_dn": "ou=people, dc=planetexpress, dc=com",
"group_filter": "(objectclass=Group)",
"group_id_attribute": "cn",
"user_dn_attribute": "dn",
"group_member_field": "member",
"group_dn_attribute": "dn",
"user_member_field": "memberOf"
}
Getting Details of an LDAP Connection
To get details of an LDAP connection, run:
Syntax
ksctl connectionmgmt ldap get --id <connection-name/Id>
Example Request
ksctl connectionmgmt ldap get --id "ldapConn"
Example Response
{
"id": "045f76ee-3407-445e-84cf-ede8bdddc688",
"uri": "kylo:kylo:connectionmgmt:connections:ldapconn-045f76ee-3407-445e-84cf-ede8bdddc688",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-07-28T13:25:04.652637Z",
"updatedAt": "2022-07-28T13:25:17.190261Z",
"service": "LDAP",
"category": "IdP",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "ldapConn",
"server_url": "ldap://54.27.0.7:389",
"insecure_skip_verify": false,
"bind_dn": "cn=admin,dc=planetexpress,dc=com",
"base_dn": "dc=planetexpress,dc=com",
"search_filter": "(objectclass=User)",
"user_login_attribute": "uid",
"group_base_dn": "ou=people, dc=planetexpress, dc=com",
"group_filter": "(objectclass=Group)",
"group_name_attribute": "test1",
"group_member_field": "member"
}
Updating an LDAP Connection
To update an LDAP connection, run:
Syntax
ksctl connectionmgmt ldap modify --id <connection-name/Id> --server-url <url> --bind-dn <bind-dn> --bind-password <bind-password> --base-dn <base-dn> --search-filter <user-search-filter> --user-login-attribute <user-login-attribute> --group-base-dn <group-base-dn> --group-search-filter <group-search-filter> --group-name-attribute <group-name-attribute> --group-member-field <group-member_-field> -- root-ca '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----'
Example Request
ksctl connectionmgmt ldap modify --id "ldapConn" --server-url "ldap://54.27.0.7:389"
Example Response
{
"id": "045f76ee-3407-445e-84cf-ede8bdddc688",
"uri": "kylo:kylo:connectionmgmt:connections:ldapconn-045f76ee-3407-445e-84cf-ede8bdddc688",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-07-28T13:25:04.652637Z",
"updatedAt": "2022-07-28T13:25:17.190260884Z",
"service": "LDAP",
"category": "IdP",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "ldapConn",
"server_url": "ldap://54.27.0.7:389",
"insecure_skip_verify": false,
"bind_dn": "cn=admin,dc=planetexpress,dc=com",
"base_dn": "dc=planetexpress,dc=com",
"search_filter": "(objectclass=User)",
"user_login_attribute": "uid",
"group_base_dn": "ou=people, dc=planetexpress, dc=com",
"group_filter": "(objectclass=Group)",
"group_name_attribute": "test1",
"group_member_field": "member"
}
Deleting an LDAP Connection
To delete an LDAP connection, run:
Syntax
ksctl connectionmgmt ldap delete --id <connection-name/Id>
Example Request
ksctl connectionmgmt ldap delete --id "ldapConn"
There will be no response if the LDAP connection is deleted successfully.
Getting List of LDAP Connections
To list all the LDAP connections, run:
Syntax
ksctl connectionmgmt ldap list
Example Request
ksctl connectionmgmt ldap list
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources":
[
{
"id": "045f76ee-3407-445e-84cf-ede8bdddc688",
"uri": "kylo:kylo:connectionmgmt:connections:ldapconn-045f76ee-3407-445e-84cf-ede8bdddc688",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-07-28T13:25:04.652637Z",
"updatedAt": "2022-07-28T13:25:17.190261Z",
"service": "LDAP",
"category": "IdP",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "ldapConn",
"server_url": "ldap://54.27.0.7:389",
"insecure_skip_verify": false,
"bind_dn": "cn=admin,dc=planetexpress,dc=com",
"base_dn": "dc=planetexpress,dc=com",
"search_filter": "(objectclass=User)",
"user_login_attribute": "uid",
"group_base_dn": "ou=people, dc=planetexpress, dc=com",
"group_filter": "(objectclass=Group)",
"group_name_attribute": "test1",
"group_member_field": "member"
}
]
}
Testing an Existing LDAP Connection
To test an existing LDAP connection, run:
Syntax
ksctl connectionmgmt ldap test --id <connection-name/Id>
Example Request
ksctl connectionmgmt ldap test --id "045f76ee-3407-445e-84cf-ede8bdddc688"
Example Response
{
"connection_ok": true
}
Testing a new LDAP Connection
To test the parameters of a new LDAP connection, run:
Syntax
ksctl connectionmgmt ldap test --server-url <url> --bind-dn <bind-dn> --bind-password <bind-password> --base-dn <base-dn> --search-filter <user-search-filter> --user-login-attribute <user-login-attribute> --group-base-dn <group-base-dn> --group-search-filter <group-search-filter> --group-name-attribute <group-name-attribute> --group-member-field <group-member_-field> -- root-ca '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----'
Example Request
ksctl connectionmgmt ldap test --server-url "ldap://54.80.101.85:389" --bind-dn "cn=admin,dc=planetexpress,dc=com" --bind-password "GoodNewsEveryone" --base-dn "dc=planetexpress,dc=com" --search-filter "(objectclass=User)" --user-login-attribute "uid" --group-base-dn "ou=people, dc=planetexpress, dc=com" --group-search-filter "(objectclass=Group)" --group-name-attribute "test1" --group-member-field "member" --username "fry" --conn-password "fry"
Example Response
{
"connection_ok": true
}
