Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Tasks

Configuring an AD/LDAP Server

search

Please Note:

printsuggest an edit

Configuring an AD/LDAP Server

The Active Directory/LDAP server is optional. However, you can use it to import CT-VL users and CT-VL GUI Administrators. See Active Directory/LDAP Server Requirements before configuring. You must configure the AD/LDAP server on every node in your CT-VL HA cluster.

  1. Go to the auth command category in the CT-VL CLI to see the ldap command.

    main> auth
auth$ ?
    Command     Description
    =======     ===========
    ldap        LDAP Setup
    oauth2      OAuth2 Setup

  2. Like all CLI commands, you can type the command without a parameter and a usage example is displayed:

    auth> ldap
usage: ldap [-h] [--show] [--setup] [--enable {true,false}]
                [--server SERVER_URI] [--bind_dn BIND_DN]
                [--bind_password PASSWORD] [--user_prefix PREFIX]
                [--user_search_filter FILTER]
                [--user_search_scope SCOPE] [--group_search_scope SCOPE]
                [--active_user_group GROUP] [--staff_user_group GROUP]
                [--super_user_group GROUP]
                [--ca_cert {import,remove,show}] [--test {bind_dn}]
                [--query_user NAME] [-y]

LDAP Setup

optional arguments:
-h, --help      show this help message and exit
--show          show LDAP settings

[ . . . ]

  3. Disable, then enable LDAP support in the Tokenization Server:

    auth> ldap --enable false
LDAP settings have been saved
auth> ldap --enable true
Restarting cts (via systemctl):         [ OK ]
LDAP settings have been saved
auth>

    Note

    If you disable LDAP support, then you can use only the CT-VL GUI to create users and groups.

  4. Set the AD/LDAP server URI with the --server command (where the default port number for an LPDAS server is 636):

    auth> ldap --server ldaps://<hostname_or_IP_address>:<Port>

    or (where the default port number for an LDAP server is 389):

    auth> ldap --server ldap://<hostname_or_IP_address>:<Port>

    Example:

    auth> ldap --server ldap://192.168.118.99:389
LDAP settings have been saved
auth>

  5. Set the binding DN of the user who has access to the AD/LDAP server with password. Example:

    ldap --bind_dn <FQDN of user with access to LDAP Server>

    Example:

    auth> ldap --bind_dn cts0@cts.vormetric.com
Enter Password :
Enter Password again :
Set LDAP Bind User DN SUCCESS
auth>

  6. Set user search scope using user_search_scope command:

    ldap --user_search_scope <User search scope>

    Example:

    auth> ldap --user_scope dc=cts,dc=vormetric,dc=com
LDAP settings have been saved
auth>

  7. Set group search scope using the group_search_scope command:

    ldap --group_search_scope <Group search scope>

    Example:

    auth> ldap --group_search_scope CN=Users, dc=cts,dc=vormetric,dc=com
LDAP settings have been saved
auth>

  8. Set attribute field for user search filter using the user_search_filter command:

    ldap --user_search_filter <Name of user field in AD/LDAP>

    Example:

    auth> ldap --user_search_filter sAMAccountName
LDAP settings have been saved
auth>

  9. Set user prefix name using user_prefix command. The user prefix is the attribute that should be used to prefix the user name when searching for the user name in the LDAP database.

    ldap --user_prefix <User prefix name. Example: uid or cn or sn>

    Example:

    auth$ user_prefix uid
Set LDAP USER PREFIX SUCCESS

  10. Set the Tokenization Server active user group using the active_user_group command:

    auth> ldap --active_user_group <Group whose members can access the RESTful API>

    In this example, any user who wants access to the CTS RESTful API, must belong to the AD group ctsUsers within Users of the domain cts.vormetric.com:

    auth> ldap --active_user_group cn=ctsUsers,cn=Users,dc=cts,dc=vormetric,dc=com
LDAP settings have been saved
auth>

  11. Set the CT-VL superuser group using the --super_user_group command:

    ldap --super_user_group <Group that can access the Tokenization Server GUI & APIs>

    In this example, any user who requires access to the CTS GUI and REST APIs, must belong to the AD group ctsSuperuser within Users of domain cts.vormetric.com:

    auth> ldap --super_user_group cn=ctsSuperuser,cn=Users,dc=cts,dc=vormetric,dc=com
LDAP settings have been saved
auth>

  12. For LDAPS Support Only: Import the CA certificate chain of the LDAP server to the built-in LDAPS client of CT-VL. A Certificate Management tool like DigiCert or Certificate Manager tool is recommended to request the certificate, after which use the --ca_cert option to import the certificate into the CT-VL.

    Note

    The --ca_cert option uses an underscore (_) instead of a hyphen (-).

    a. Using a Certificate Management tool like DigiCert or Certificate Manager tool, download your intermediate and root certificates.

    Note

    CT-VL requires all certificates to be in PEM format.

    b. Run --ca_cert import to import the certificate trust chain. Paste the entire body of each certificate in the order shown in the example, then terminate with Ctrl-d when finished.

    auth> ldap --ca_cert import
Cut-and-paste below a CA Certificate in pem format. Press Ctrl-d when done.
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: DigiCertCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----
Restarting cts (via systemctl): [ OK ]
LDAP CA Certificate has been uploaded.
auth>

  13. Execute the --show option to list the LDAP configuration:

    auth> ldap --show
ENABLE true
SERVER_URI ldap://192.168.118.99:389
BIND_DN cts0@cts.vormetric.com
BIND_PASSWORD ********
USER_SEARCH_SCOPE dc=cts,dc=vormetric,dc=com
GROUP_SEARCH_SCOPE CN=Users,dc=cts,dc=vormetric,dc=com
USER_SEARCH_FILTER sAMAccountName
ACTIVE_USER_GROUP cn=ctsUsers,cn=Users,dc=cts,dc=vormetric,dc=com
SUPER_USER_GROUP
auth>

On this page