Allowing AD Users to Manage Azure Vaults
This section describes how to allow AD users to manage Azure vaults using CCKM. Change the sample values according to your requirements.
Note
This feature works in the root domain only.
Create an LDAP connection (for example,
ldapcon
) on the CipherTrust Manager.curl -k '<IP>/v1/usermgmt/connections' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "name": "ldapcon",\n "strategy": "ldap",\n "options": {\n "server_url": "ldap://<ldap-server-ip>",\n "root_dn": "dc=calculate",\n "uid_field": "uid",\n "user_dn_field": "dn",\n "bind_dn": "cn=ldapadmin,dc=calculate",\n "bind_password": "<password>",\n "group_base_dn": "dc=calculate",\n "group_member_field": "memberUid",\n "group_id_field": "cn",\n "group_filter": "objectClass=posixGroup",\n "guid_field": "uid"\n }\n}
Here,
server_url
is the URL of the LDAP server.Create a local group (for example,
localgroup
) on the CipherTrust Manager.curl -k '<IP>/v1/usermgmt/groups' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "name": "localgroup"\n }' --compressed
Map the LDAP group on LDAP server (for example,
ldapgroup
) to the newly createdlocalgroup
.curl -k '<IP>/v1/usermgmt/groupmaps' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "connection_name": "ldapcon",\n "connection_group_name": "ldapgroup",\n "group_name": "localgroup"\n }' --compressed
Map the LDAP group on LDAP server (for example,
ldapgroup
) to the "CCKM Users" group.curl -k '<IP>/v1/usermgmt/groupmaps' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "connection_name": "ldapcon",\n "connection_group_name": "ldapgroup",\n "group_name": "CCKM Users"\n }' --compressed
Add an Azure connection. Refer to Microsoft Azure for details on required fields.
Add an Azure vault. Refer to Adding Existing Vaults for details.
Assign the
localgroup
to this vault.Log on to the Ciphertrust Manager using
ldapgroup
over the LDAP connection,ldapcon
.username: ldapcon/<ldap-user-name> password: <ldap-user-login-password>
The newly added Azure vault should be visible.