LDAP Group Mapping
Overview
Groupmaps extend group-based configuration of keys to LDAP groups. A groupmap maps an LDAP group belonging to a specific LDAP connection to a CipherTrust Manager group. For example, an LDAP group can be mapped to the system defined `Key Users` group in order to allow the LDAP group's members to encrypt data. Alternatively, an LDAP group can be mapped to a newly created CipherTrust Manager group where group-based key permissions can be configured.
The groupmaps API can be used to create, delete, get, list, and modify mappings. A mapping is created by passing three parameters (LDAP group name, LDAP connection name, and CipherTrust Manager group name) to the create API. This returns an ID along with other information. The ID can be used to get, modify or delete the mapping. The list API supports searching for all mappings associated with (a) an LDAP connection, (b) aCipherTrust Manager group, and/or (c) a LDAP group. Wildcards can be used in the list API.
The API playground and the CLI tool (ksctl) can be used to explore the Groupmap API.
CLI Commands
The CLI Tool (ksctl) can be used to create and manipulate groupmappings. Help about group mappings can be obtained via the ksctl groupmaps -h command.
A groupmap can be created via the following command:
$ ksctl groupmaps create -c <ldap-connection-name> -g <ldap-group-name> -k <key-secure-group-name>
The LDAP connection and key secure group must exist prior to creating a connection. The mapping links the LDAP group to the key secure group. The response shows information about the mapping; here is a sample response:
"id": "26a980d2-c20a-4307-b12a-4898aa575122",
"created_at": "2018-09-28T20:50:28.978112Z",
"updated_at": "2018-09-28T20:50:28.978112Z",
"connection_name": "ldap22",
"ldap_group_name": "admin_staff",
"group_name": "group1"
The ID that is returned by the can be used in the ksctl groupmaps get, ksctl groupmaps delete and ksctl groupmaps modify commands. The ksctl groupmaps modify command allows modification of theCipherTrust Manager group name associated with a groupmap:
$ ksctl groupmaps modify -i <group-map-id> -k <key-secure-group-name>
The ksctl groupmaps list command allows listing of all the available groupmaps:
$ ksctl groupmaps list [-s <skip>] [-l <limit>] [-c <ldap-connection-name>] [-g <ldap-group-name>] [-k <key-secure-group-name
For example, the following command will list all groupmaps associated with an LDAP connection named "hr-ldap":
$ ksctl groupmaps list -l 1000 -c hr-ldap
The * character can be used to perform wild card searches over connection names and group names.
Use Cases
The utility of group mappings is illustrated by the following examples.
Making all Users in a Specific LDAP Group members of Key Users Group
Assume that there is a LDAP connection named bababini containing a group named IT. All users in the IT group should have the ability to create keys. This can be achieved by creating a group map that maps the LDAP IT group into the built-in CipherTrust Manager 'Key Users' group:
$ ksctl groupmaps create -c bababini -g IT -k "Key Users"
Users in the LDAP group IT can create keys after issuing this command.
Two LDAP groups share keys
Assume that there is a LDAP connection named bababini containing two groups: IT and Engineering. It is desired to share cryptographic keys between the two LDAP groups. This can be achieved by the following steps:
Create a key secure group called
it-engg-shared-keys.Create cryptographic keys and allow all users in the
it-engg-shared-keysgroup access to those keys.Create a group mapping between the IT and
it-engg-shared-keysvia the command:$ ksctl groupmaps create -c bababini -g IT -k it-engg-shared-keysCreate a group mapping between the Engineering and
it-engg-shared-keysvia the command:$ ksctl groupmaps create -c bababini -g Engineering -k it-engg-shared-keys
Users in both groups can now share the keys created in step 2 above.
