LDAP
LDAP connection to the CipherTrust Manager can be configured using the following:
Note
The LDAP connection available through connection manager is separate and additional to the LDAP connection available through Access Management.
Managing LDAP Connections using GUI
Server URL - enter the URL of the LDAP server.
Bind DN - enter the bind dn object that has permission to search on the root DN for users.
Server Bind Password - enter the bind password of the server.
Base DN - enter the starting point an LDAP server uses when searching for users.
Search Filter for listing users - enter the LDAP search filter to restrict the set of users who will be allowed to log on to the LDAP server.
User's login name attribute - enter the attribute on the user object that contains the username required to log on with.
Group Base DN - enter the starting point an LDAP server uses when searching for groups.
Search filter for listing groups - enter the LDAP search filter to restrict the set of groups who will be allowed to log on to the LDAP server.
Group Name Attribute - enter the attributes on the group object that contain the friendly name of the group.
User's Distinguished Name - enter the user's distinguished name
Group id attribute for group mapping - enter the attribute on the group object that contains the group identifier (name). This value should be unique.
User's group membership attribute - enter the attribute that contains the group membership information, that is referring to users which are member of the group.
Username for test (required for Test) - enter the username required for test connection.
Password for test (required for Test) - enter the password required for test connection.
Click the Test Credentials button to check whether the connection is configured correctly. If the test is successful, the status is OK
else the status is Fail
.
Click Next to move to the Add Products screen of the Add Connection wizard.
Note
Currently, the only product supported for LDAP connection is CTE.
Managing LDAP Connections using ksctl
The following operations can be performed:
Create/Get/Update/Delete an LDAP connection
List all LDAP connections
Test an existing LDAP connection
Test the new LDAP connection parameters before establishing the connection
Note
To configure an LDAP connection, the only mandatory parameters are base_dn
, name
, server_url
, and user_login_attribute
.
Creating an LDAP Connection
To create an LDAP connection, run:
Syntax
ksctl connectionmgmt ldap create --name <connection-name> --server-url <url> --bind-dn <bind-dn> --bind-password <bind-password> --base-dn <base-dn> --search-filter <user-search-filter> --user-login-attribute <user-login-attribute> --group-base-dn <group-base-dn> --group-search-filter <group-search-filter> --group-name-attribute <group-name-attribute> --group-member-field <group-member_-field> -- root-ca '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----'
Example Request
ksctl connectionmgmt ldap create --name "ldapConn" --server-url "ldap://172.27.0.6:389" --bind-dn "cn=admin,dc=planetexpress,dc=com" --bind-password "GoodNewsEveryone" --base-dn "dc=planetexpress,dc=com" --search-filter "(objectclass=User)" --user-login-attribute "uid" --group-base-dn "ou=people, dc=planetexpress, dc=com" --group-search-filter "(objectclass=Group)" --group-name-attribute "test1" --group-member-field "member"
Example Response
{
"id": "200bb517-854a-43c8-af54-7bc12cd35eb0",
"uri": "kylo:kylo:connectionmgmt:connections:ldapconn-200bb517-854a-43c8-af54-7bc12cd35eb0",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-07-28T07:48:09.151996264Z",
"updatedAt": "2022-07-28T07:48:09.150581053Z",
"service": "LDAP",
"category": "IdP",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "ldapConn",
"server_url": "ldap://172.27.0.6:389",
"insecure_skip_verify": false,
"bind_dn": "cn=admin,dc=planetexpress,dc=com",
"base_dn": "dc=planetexpress,dc=com",
"search_filter": "(objectclass=User)",
"user_login_attribute": "uid",
"group_base_dn": "ou=people, dc=planetexpress, dc=com",
"group_filter": "(objectclass=Group)",
"group_name_attribute": "test1",
"group_member_field": "member"
}
Getting Details of an LDAP Connection
To get details of an LDAP connection, run:
Syntax
ksctl connectionmgmt ldap get --id <connection-name/Id>
Example Request
ksctl connectionmgmt ldap get --id "ldapConn"
Example Response
{
"id": "045f76ee-3407-445e-84cf-ede8bdddc688",
"uri": "kylo:kylo:connectionmgmt:connections:ldapconn-045f76ee-3407-445e-84cf-ede8bdddc688",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-07-28T13:25:04.652637Z",
"updatedAt": "2022-07-28T13:25:17.190261Z",
"service": "LDAP",
"category": "IdP",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "ldapConn",
"server_url": "ldap://54.27.0.7:389",
"insecure_skip_verify": false,
"bind_dn": "cn=admin,dc=planetexpress,dc=com",
"base_dn": "dc=planetexpress,dc=com",
"search_filter": "(objectclass=User)",
"user_login_attribute": "uid",
"group_base_dn": "ou=people, dc=planetexpress, dc=com",
"group_filter": "(objectclass=Group)",
"group_name_attribute": "test1",
"group_member_field": "member"
}
Updating an LDAP Connection
To update an LDAP connection, run:
Syntax
ksctl connectionmgmt ldap modify --id <connection-name/Id> --server-url <url> --bind-dn <bind-dn> --bind-password <bind-password> --base-dn <base-dn> --search-filter <user-search-filter> --user-login-attribute <user-login-attribute> --group-base-dn <group-base-dn> --group-search-filter <group-search-filter> --group-name-attribute <group-name-attribute> --group-member-field <group-member_-field> -- root-ca '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----'
Example Request
ksctl connectionmgmt ldap modify --id "ldapConn" --server-url "ldap://54.27.0.7:389"
Example Response
{
"id": "045f76ee-3407-445e-84cf-ede8bdddc688",
"uri": "kylo:kylo:connectionmgmt:connections:ldapconn-045f76ee-3407-445e-84cf-ede8bdddc688",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-07-28T13:25:04.652637Z",
"updatedAt": "2022-07-28T13:25:17.190260884Z",
"service": "LDAP",
"category": "IdP",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "ldapConn",
"server_url": "ldap://54.27.0.7:389",
"insecure_skip_verify": false,
"bind_dn": "cn=admin,dc=planetexpress,dc=com",
"base_dn": "dc=planetexpress,dc=com",
"search_filter": "(objectclass=User)",
"user_login_attribute": "uid",
"group_base_dn": "ou=people, dc=planetexpress, dc=com",
"group_filter": "(objectclass=Group)",
"group_name_attribute": "test1",
"group_member_field": "member"
}
Deleting an LDAP Connection
To delete an LDAP connection, run:
Syntax
ksctl connectionmgmt ldap delete --id <connection-name/Id>
Example Request
ksctl connectionmgmt ldap delete --id "ldapConn"
There will be no response if the LDAP connection is deleted successfully.
Getting List of LDAP Connections
To list all the LDAP connections, run:
Syntax
ksctl connectionmgmt ldap list
Example Request
ksctl connectionmgmt ldap list
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources":
[
{
"id": "045f76ee-3407-445e-84cf-ede8bdddc688",
"uri": "kylo:kylo:connectionmgmt:connections:ldapconn-045f76ee-3407-445e-84cf-ede8bdddc688",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-07-28T13:25:04.652637Z",
"updatedAt": "2022-07-28T13:25:17.190261Z",
"service": "LDAP",
"category": "IdP",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "ldapConn",
"server_url": "ldap://54.27.0.7:389",
"insecure_skip_verify": false,
"bind_dn": "cn=admin,dc=planetexpress,dc=com",
"base_dn": "dc=planetexpress,dc=com",
"search_filter": "(objectclass=User)",
"user_login_attribute": "uid",
"group_base_dn": "ou=people, dc=planetexpress, dc=com",
"group_filter": "(objectclass=Group)",
"group_name_attribute": "test1",
"group_member_field": "member"
}
]
}
Testing an Existing LDAP Connection
To test an existing LDAP connection, run:
Syntax
ksctl connectionmgmt ldap test --id <connection-name/Id>
Example Request
ksctl connectionmgmt ldap test --id "045f76ee-3407-445e-84cf-ede8bdddc688"
Example Response
{
"connection_ok": true
}
Testing a new LDAP Connection
To test the parameters of a new LDAP connection, run:
Syntax
ksctl connectionmgmt ldap test --server-url <url> --bind-dn <bind-dn> --bind-password <bind-password> --base-dn <base-dn> --search-filter <user-search-filter> --user-login-attribute <user-login-attribute> --group-base-dn <group-base-dn> --group-search-filter <group-search-filter> --group-name-attribute <group-name-attribute> --group-member-field <group-member_-field> -- root-ca '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----'
Example Request
ksctl connectionmgmt ldap test --server-url "ldap://54.80.101.85:389" --bind-dn "cn=admin,dc=planetexpress,dc=com" --bind-password "GoodNewsEveryone" --base-dn "dc=planetexpress,dc=com" --search-filter "(objectclass=User)" --user-login-attribute "uid" --group-base-dn "ou=people, dc=planetexpress, dc=com" --group-search-filter "(objectclass=Group)" --group-name-attribute "test1" --group-member-field "member" --username "fry" --conn-password "fry"
Example Response
{
"connection_ok": true
}