LDAP
LDAP connection to the CipherTrust Manager can be configured using the following:
Note
The LDAP connection available through connection manager is separate and additional to the LDAP connection available through Access Management.
Managing LDAP Connections using GUI
Server URL - enter the URL of the LDAP server.
If the Server URL scheme begins with 'ldaps://', following additional configuration fields become available:
Server's Certificate - upload the server's certificate or provide certificate details in the text format. Certificate details are verified to check if the server is trusted. If server's certificate is not provided, then the server verification is performed using the CA of the operating system.
Click + Add Server Certificate to upload multiple certificates of the server.
Disable verifying the server certificate - select this check box to disable the server's certificate verification. If selected, you don't need to upload any server's certificate and the Server's Certificate field disappears.
Bind DN - enter the bind dn object that has permission to search on the root DN for users.
Server Bind Password - enter the bind password of the server.
Base DN - enter the starting point an LDAP server uses when searching for users.
Search Filter for listing users - enter the LDAP search filter to restrict the set of users who will be allowed to log on to the LDAP server.
User's login name attribute - enter the attribute on the user object that contains the username required to log on with.
Group Base DN - enter the starting point an LDAP server uses when searching for groups.
Search filter for listing groups - enter the LDAP search filter to restrict the set of groups who will be allowed to log on to the LDAP server.
Group Name Attribute - enter the attributes on the group object that contain the friendly name of the group.
User's Distinguished Name - enter the user's distinguished name
Group id attribute for group mapping - enter the attribute on the group object that contains the group identifier (name). This value should be unique.
User's group membership attribute - enter the attribute that contains the group membership information, that is referring to users which are member of the group.
Username for test (required for Test) - enter the username required for test connection.
Password for test (required for Test) - enter the password required for test connection.
LDAP server max page Size - sets the page size which determines the number of users/groups to be fetched from the LDAP server using pagination.
LDAP early listing stop - select/clear the check box to set the value to true/false. When set to false displays the total number of users/groups that are present on the ldap server. When set to
true, the value of total in the response is displayed as-1indicating that more records are present on the ldap server than the limit specified, otherwise the correcttotalrecords number will be visible.
Click the Test Credentials button to check whether the connection is configured correctly. If the test is successful, the status is OK else the status is Fail.
Click Next to move to the Add Products screen of the Add Connection wizard.
Note
Currently, the only product supported for LDAP connection is CTE.
Managing LDAP Connections using ksctl
The following operations can be performed:
Create/Get/Update/Delete an LDAP connection
List all LDAP connections
Test an existing LDAP connection
Test the new LDAP connection parameters before establishing the connection
Note
To configure an LDAP connection, the only mandatory parameters are base_dn, name, server_url, and user_login_attribute.
Creating an LDAP Connection
To create an LDAP connection, run:
Syntax
ksctl connectionmgmt ldap create --name <connection-name> --server-url <url> --bind-dn <bind-dn> --bind-password <bind-password> --base-dn <base-dn> --search-filter <user-search-filter> --user-login-attribute <user-login-attribute> --group-base-dn <group-base-dn> --group-search-filter <group-search-filter> --group-name-attribute <group-name-attribute> --group-member-field <group-member-field> --root-ca '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----' --server-maximum-page-size <server-maximum-page-size> --early-listing-stop <early-listing-stop>
Here,
name- unique connection name.server-url- LDAP URL for your server. (For example, ldap://172.16.2.2:3268)bind-dn- object which has permission to search under the root DN for LDAP users.bind-password- password for the Bind DN object of the LDAP connection.base-dn- starting point to use when searching for LDAP users.search-filter- LDAP search filter to further restrict the set of users who will be allowed to log in.user-login-attribute- attribute inside the user object that contains the username to login with.group-base-dn- starting point to use when searching for groups. This value can be left empty to disable group support for this connection.group-search-filter- search filter for listing groups.group-name-attribute- attribute inside the group object which contains the friendly name of the group.group-member-field- attribute inside the group object that contains group membership information, basically which users are members of the group. For example: member, memberUid.root-ca- PEM encoded certificate used to determine if the server is trusted. Only applies if theserver_urlscheme isldaps. If not provided, then the server's certificate is verified using the CA of the operating system.server-maximum-page-size- sets the page size which determines the number of users/groups to be fetched from the LDAP server using pagination. By default, whenearly_listing_stopis false andserver-maximum-page-sizeis 0, entries are retrieved from the LDAP server without pagination.early-listing-stop- when set tofalsedisplays the total number of users/groups that are present on the LDAP server. When set totrue, the value oftotalin the response is displayed as-1indicating that more records are present on the ldap server than the limit specified. The default value ofearly-listing-stopis false. Let's take a scenario where we have setearly-listing-stopto true and the LDAP server contains total 5000 users. On the CipherTrust Manager, thelimitparameter is set to 1000, then total number of entries in response will 1000 and the value oftotalwill be-1.
Example Request 1
ksctl connectionmgmt ldap create --name "ldapConn" --server-url "ldap://172.27.0.6:389" --bind-dn "cn=admin,dc=planetexpress,dc=com" --bind-password "GoodNewsEveryone" --base-dn "dc=planetexpress,dc=com" --search-filter "(objectclass=User)" --user-login-attribute "uid" --group-base-dn "ou=people, dc=planetexpress, dc=com" --group-search-filter "(objectclass=Group)" --group-name-attribute "test1" --group-member-field "member"
Example Response 1
{
"id": "200bb517-854a-43c8-af54-7bc12cd35eb0",
"uri": "kylo:kylo:connectionmgmt:connections:ldapconn-200bb517-854a-43c8-af54-7bc12cd35eb0",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-07-28T07:48:09.151996264Z",
"updatedAt": "2022-07-28T07:48:09.150581053Z",
"service": "LDAP",
"category": "IdP",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "ldapConn",
"server_url": "ldap://172.27.0.6:389",
"insecure_skip_verify": false,
"bind_dn": "cn=admin,dc=planetexpress,dc=com",
"base_dn": "dc=planetexpress,dc=com",
"search_filter": "(objectclass=User)",
"user_login_attribute": "uid",
"group_base_dn": "ou=people, dc=planetexpress, dc=com",
"group_filter": "(objectclass=Group)",
"group_name_attribute": "test1",
"group_member_field": "member"
}
Example Request 2
ksctl connectionmgmt ldap create --name "ldapConn1" --server-url "ldap://172.27.0.6:389" --bind-dn "cn=admin,dc=planetexpress,dc=com" --bind-password "GoodNewsEveryone" --base-dn "dc=planetexpress,dc=com" --search-filter "(objectclass=User)" --user-login-attribute "uid" --group-base-dn "ou=people, dc=planetexpress, dc=com" --group-search-filter "(objectclass=Group)" --group-name-attribute "test1" --group-member-field "member" --server-maximum-page-size 10000 --early-listing-stop true
Example Response 2
{
"id": "200bb517-854a-43c8-af54-7bc12cd35eb0",
"uri": "kylo:kylo:connectionmgmt:connections:ldapconn-200bb517-854a-43c8-af54-7bc12cd35eb0",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-07-28T07:48:09.151996264Z",
"updatedAt": "2022-07-28T07:48:09.150581053Z",
"service": "LDAP",
"category": "IdP",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "ldapConn1",
"server_url": "ldap://172.27.0.6:389",
"insecure_skip_verify": false,
"bind_dn": "cn=admin,dc=planetexpress,dc=com",
"base_dn": "dc=planetexpress,dc=com",
"server_maximum_page_size": 10000,
"early_listing_stop": true,
"search_filter": "(objectclass=User)",
"user_login_attribute": "uid",
"group_base_dn": "ou=people, dc=planetexpress, dc=com",
"group_filter": "(objectclass=Group)",
"group_name_attribute": "test1",
"group_member_field": "member",
}
Getting Details of an LDAP Connection
To get details of an LDAP connection, run:
Syntax
ksctl connectionmgmt ldap get --id <connection-name/Id>
Example Request
ksctl connectionmgmt ldap get --id "ldapConn1"
Example Response
{
"id": "045f76ee-3407-445e-84cf-ede8bdddc688",
"uri": "kylo:kylo:connectionmgmt:connections:ldapconn-045f76ee-3407-445e-84cf-ede8bdddc688",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-07-28T13:25:04.652637Z",
"updatedAt": "2022-07-28T13:25:17.190261Z",
"service": "LDAP",
"category": "IdP",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "ldapConn",
"server_url": "ldap://54.27.0.7:389",
"insecure_skip_verify": false,
"bind_dn": "cn=admin,dc=planetexpress,dc=com",
"base_dn": "dc=planetexpress,dc=com",
"server_maximum_page_size": 10000,
"early_listing_stop": true,
"search_filter": "(objectclass=User)",
"user_login_attribute": "uid",
"group_base_dn": "ou=people, dc=planetexpress, dc=com",
"group_filter": "(objectclass=Group)",
"group_name_attribute": "test1",
"group_member_field": "member"
}
Updating an LDAP Connection
To update an LDAP connection, run:
Syntax
ksctl connectionmgmt ldap modify --id <connection-name/Id> --server-url <url> --bind-dn <bind-dn> --bind-password <bind-password> --base-dn <base-dn> --search-filter <user-search-filter> --user-login-attribute <user-login-attribute> --group-base-dn <group-base-dn> --group-search-filter <group-search-filter> --group-name-attribute <group-name-attribute> --group-member-field <group-member_-field> -- root-ca '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----' --server-maximum-page-size <server-maximum-page-size> --early-listing-stop <--early-listing-stop>
Example Request 1
ksctl connectionmgmt ldap modify --id "ldapConn" --server-url "ldap://54.27.0.7:389"
Example Response 1
{
"id": "045f76ee-3407-445e-84cf-ede8bdddc688",
"uri": "kylo:kylo:connectionmgmt:connections:ldapconn-045f76ee-3407-445e-84cf-ede8bdddc688",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-07-28T13:25:04.652637Z",
"updatedAt": "2022-07-28T13:25:17.190260884Z",
"service": "LDAP",
"category": "IdP",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "ldapConn",
"server_url": "ldap://54.27.0.7:389",
"insecure_skip_verify": false,
"bind_dn": "cn=admin,dc=planetexpress,dc=com",
"base_dn": "dc=planetexpress,dc=com",
"search_filter": "(objectclass=User)",
"user_login_attribute": "uid",
"group_base_dn": "ou=people, dc=planetexpress, dc=com",
"group_filter": "(objectclass=Group)",
"group_name_attribute": "test1",
"group_member_field": "member"
}
Example Request 2
ksctl connectionmgmt ldap modify --id "ldapConn1" --server-url "ldap://54.27.0.7:389" --server-maximum-page-size 10000 --early-listing-stop true
Example Response 2
{
"id": "045f76ee-3407-445e-84cf-ede8bdddc688",
"uri": "kylo:kylo:connectionmgmt:connections:ldapconn-045f76ee-3407-445e-84cf-ede8bdddc688",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-07-28T13:25:04.652637Z",
"updatedAt": "2022-07-28T13:25:17.190260884Z",
"service": "LDAP",
"category": "IdP",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "ldapConn",
"server_url": "ldap://54.27.0.7:389",
"insecure_skip_verify": false,
"bind_dn": "cn=admin,dc=planetexpress,dc=com",
"base_dn": "dc=planetexpress,dc=com",
"search_filter": "(objectclass=User)",
"user_login_attribute": "uid",
"server_maximum_page_size": 10000,
"early_listing_stop": true,
"group_base_dn": "ou=people, dc=planetexpress, dc=com",
"group_filter": "(objectclass=Group)",
"group_name_attribute": "test1",
"group_member_field": "member"
}
Deleting an LDAP Connection
To delete an LDAP connection, run:
Syntax
ksctl connectionmgmt ldap delete --id <connection-name/Id>
Example Request
ksctl connectionmgmt ldap delete --id "ldapConn"
There will be no response if the LDAP connection is deleted successfully.
Getting List of LDAP Connections
To list all the LDAP connections, run:
Syntax
ksctl connectionmgmt ldap list
Example Request
ksctl connectionmgmt ldap list
Example Response
{
"skip": 0,
"limit": 10,
"total": 2,
"resources":
[
{
"id": "200bb517-854a-43c8-af54-7bc12cd35eb0",
"uri": "kylo:kylo:connectionmgmt:connections:ldapconn-200bb517-854a-43c8-af54-7bc12cd35eb0",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-07-28T13:25:04.652637Z",
"updatedAt": "2022-07-28T13:25:17.190261Z",
"service": "LDAP",
"category": "IdP",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "ldapConn",
"server_url": "ldap://54.27.0.7:389",
"insecure_skip_verify": false,
"bind_dn": "cn=admin,dc=planetexpress,dc=com",
"base_dn": "dc=planetexpress,dc=com",
"search_filter": "(objectclass=User)",
"user_login_attribute": "uid",
"group_base_dn": "ou=people, dc=planetexpress, dc=com",
"group_filter": "(objectclass=Group)",
"group_name_attribute": "test1",
"group_member_field": "member"
},
{
"id": "045f76ee-3407-445e-84cf-ede8bdddc688",
"uri": "kylo:kylo:connectionmgmt:connections:ldapconn1-045f76ee-3407-445e-84cf-ede8bdddc688",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-07-28T13:25:04.652637Z",
"updatedAt": "2022-07-28T13:25:17.190261Z",
"service": "LDAP",
"category": "IdP",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "ldapConn",
"server_url": "ldap://54.27.0.7:389",
"insecure_skip_verify": false,
"bind_dn": "cn=admin,dc=planetexpress,dc=com",
"base_dn": "dc=planetexpress,dc=com",
"search_filter": "(objectclass=User)",
"user_login_attribute": "uid",
"server_maximum_page_size": 10000,
"early_listing_stop": true,
"group_base_dn": "ou=people, dc=planetexpress, dc=com",
"group_filter": "(objectclass=Group)",
"group_name_attribute": "test1",
"group_member_field": "member"
}
]
}
Testing an Existing LDAP Connection
To test an existing LDAP connection, run:
Syntax
ksctl connectionmgmt ldap test --id <connection-name/Id>
Example Request
ksctl connectionmgmt ldap test --id "045f76ee-3407-445e-84cf-ede8bdddc688"
Example Response
{
"connection_ok": true
}
Testing a new LDAP Connection
To test the parameters of a new LDAP connection, run:
Syntax
ksctl connectionmgmt ldap test --server-url <url> --bind-dn <bind-dn> --bind-password <bind-password> --base-dn <base-dn> --search-filter <user-search-filter> --user-login-attribute <user-login-attribute> --group-base-dn <group-base-dn> --group-search-filter <group-search-filter> --group-name-attribute <group-name-attribute> --group-member-field <group-member_-field> -- root-ca '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----'
Example Request
ksctl connectionmgmt ldap test --server-url "ldap://54.80.101.85:389" --bind-dn "cn=admin,dc=planetexpress,dc=com" --bind-password "GoodNewsEveryone" --base-dn "dc=planetexpress,dc=com" --search-filter "(objectclass=User)" --user-login-attribute "uid" --group-base-dn "ou=people, dc=planetexpress, dc=com" --group-search-filter "(objectclass=Group)" --group-name-attribute "test1" --group-member-field "member" --username "fry" --conn-password "fry"
Example Response
{
"connection_ok": true
}
