Configuring an AD/LDAP Server
The Active Directory/LDAP server is optional. However, you can use it to import CT-VL users and CT-VL GUI Administrators. See Active Directory/LDAP Server Requirements before configuring. You must configure the AD/LDAP server on every node in your CT-VL HA cluster.
Go to the
authcommand category in the CT-VL CLI to see theldapcommand.main> auth auth$ ? Command Description ======= =========== ldap LDAP Setup oauth2 OAuth2 SetupLike all CLI commands, you can type the command without a parameter and a usage example is displayed:
auth> ldap usage: ldap [-h] [--show] [--setup] [--enable {true,false}] [--server SERVER_URI] [--bind_dn BIND_DN] [--bind_password PASSWORD] [--user_prefix PREFIX] [--user_search_filter FILTER] [--user_search_scope SCOPE] [--group_search_scope SCOPE] [--active_user_group GROUP] [--staff_user_group GROUP] [--super_user_group GROUP] [--ca_cert {import,remove,show}] [--test {bind_dn}] [--query_user NAME] [-y] LDAP Setup optional arguments: -h, --help show this help message and exit --show show LDAP settings [ . . . ]Disable, then enable LDAP support in the Tokenization Server:
auth> ldap --enable false LDAP settings have been saved auth> ldap --enable true Restarting cts (via systemctl): [ OK ] LDAP settings have been saved auth>Note
If you disable LDAP support, then you can use only the CT-VL GUI to create users and groups.
Set the AD/LDAP server URI with the
--server command(where the default port number for an LPDAS server is 636):auth> ldap --server ldaps://<hostname_or_IP_address>:<Port>or (where the default port number for an LDAP server is 389):
auth> ldap --server ldap://<hostname_or_IP_address>:<Port>Example:
auth> ldap --server ldap://192.168.118.99:389 LDAP settings have been saved auth>Set the binding DN of the user who has access to the AD/LDAP server with password. Example:
ldap --bind_dn <FQDN of user with access to LDAP Server>Example:
auth> ldap --bind_dn cts0@cts.vormetric.com Enter Password : Enter Password again : Set LDAP Bind User DN SUCCESS auth>Set user search scope using
user_search_scopecommand:ldap --user_search_scope <User search scope>Example:
auth> ldap --user_scope dc=cts,dc=vormetric,dc=com LDAP settings have been saved auth>Set group search scope using the
group_search_scopecommand:ldap --group_search_scope <Group search scope>Example:
auth> ldap --group_search_scope CN=Users, dc=cts,dc=vormetric,dc=com LDAP settings have been saved auth>Set attribute field for user search filter using the
user_search_filtercommand:ldap --user_search_filter <Name of user field in AD/LDAP>Example:
auth> ldap --user_search_filter sAMAccountName LDAP settings have been saved auth>Set user prefix name using
user_prefixcommand. The user prefix is the attribute that should be used to prefix the user name when searching for the user name in the LDAP database.ldap --user_prefix <User prefix name. Example: uid or cn or sn>Example:
auth$ user_prefix uid Set LDAP USER PREFIX SUCCESSSet the Tokenization Server active user group using the
active_user_groupcommand:auth> ldap --active_user_group <Group whose members can access the RESTful API>In this example, any user who wants access to the CTS RESTful API, must belong to the AD group ctsUsers within Users of the domain cts.vormetric.com:
auth> ldap --active_user_group cn=ctsUsers,cn=Users,dc=cts,dc=vormetric,dc=com LDAP settings have been saved auth>Set the CT-VL superuser group using the
--super_user_groupcommand:ldap --super_user_group <Group that can access the Tokenization Server GUI & APIs>In this example, any user who requires access to the CTS GUI and REST APIs, must belong to the AD group ctsSuperuser within Users of domain cts.vormetric.com:
auth> ldap --super_user_group cn=ctsSuperuser,cn=Users,dc=cts,dc=vormetric,dc=com LDAP settings have been saved auth>For LDAPS Support Only: Import the CA certificate chain of the LDAP server to the built-in LDAPS client of CT-VL. A Certificate Management tool like DigiCert or Certificate Manager tool is recommended to request the certificate, after which use the
--ca_certoption to import the certificate into the CT-VL.Note
The
--ca_certoption uses an underscore (_) instead of a hyphen (-).a. Using a Certificate Management tool like DigiCert or Certificate Manager tool, download your intermediate and root certificates.
Note
CT-VL requires all certificates to be in PEM format.
b. Run
--ca_certimport to import the certificate trust chain. Paste the entire body of each certificate in the order shown in the example, then terminate with Ctrl-d when finished.auth> ldap --ca_cert import Cut-and-paste below a CA Certificate in pem format. Press Ctrl-d when done. -----BEGIN CERTIFICATE----- (Your Intermediate certificate: DigiCertCA.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Root certificate: TrustedRoot.crt) -----END CERTIFICATE----- Restarting cts (via systemctl): [ OK ] LDAP CA Certificate has been uploaded. auth>Execute the
--showoption to list the LDAP configuration:auth> ldap --show ENABLE true SERVER_URI ldap://192.168.118.99:389 BIND_DN cts0@cts.vormetric.com BIND_PASSWORD ******** USER_SEARCH_SCOPE dc=cts,dc=vormetric,dc=com GROUP_SEARCH_SCOPE CN=Users,dc=cts,dc=vormetric,dc=com USER_SEARCH_FILTER sAMAccountName ACTIVE_USER_GROUP cn=ctsUsers,cn=Users,dc=cts,dc=vormetric,dc=com SUPER_USER_GROUP auth>
