Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

Connection Manager

LDAP

search

Please Note:

LDAP

LDAP connection to the CipherTrust Manager can be configured using the following:

Note

The LDAP connection available through connection manager is separate and additional to the LDAP connection available through Access Management.

Managing LDAP Connections using GUI

  • Server URL - enter the URL of the LDAP server.

  • Bind DN - enter the bind dn object that has permission to search on the root DN for users.

  • Server Bind Password - enter the bind password of the server.

  • Base DN - enter the starting point an LDAP server uses when searching for users.

  • Search Filter for listing users - enter the LDAP search filter to restrict the set of users who will be allowed to log on to the LDAP server.

  • User's login name attribute - enter the attribute on the user object that contains the username required to log on with.

  • Group Base DN - enter the starting point an LDAP server uses when searching for groups.

  • Search filter for listing groups - enter the LDAP search filter to restrict the set of groups who will be allowed to log on to the LDAP server.

  • Group Name Attribute - enter the attributes on the group object that contain the friendly name of the group.

  • User's Distinguished Name - enter the user's distinguished name

  • Group id attribute for group mapping - enter the attribute on the group object that contains the group identifier (name). This value should be unique.

  • User's group membership attribute - enter the attribute that contains the group membership information, that is referring to users which are member of the group.

  • Username for test (required for Test) - enter the username required for test connection.

  • Password for test (required for Test) - enter the password required for test connection.

Click the Test Credentials button to check whether the connection is configured correctly. If the test is successful, the status is OK else the status is Fail.

Click Next to move to the next step.

Currently, the only product supported for LDAP connection is CTE.

Managing LDAP Connections using ksctl

The following operations can be performed:

  • Create/Get/Update/Delete an LDAP connection

  • List all LDAP connections

  • Test an existing LDAP connection

  • Test the new LDAP connection parameters before establishing the connection

To configure an LDAP connection, the only mandatory parameters are base_dn, name, server_url, and user_login_attribute.

Creating an LDAP Connection

To create an LDAP connection, run:

Syntax

ksctl connectionmgmt ldap create --name <connection-name> --server-url <url> --bind-dn <bind-dn> --bind-password <bind-password> --base-dn <base-dn> --search-filter <user-search-filter> --user-login-attribute <user-login-attribute> --group-base-dn <group-base-dn> --group-search-filter <group-search-filter> --group-name-attribute <group-name-attribute> --group-member-field <group-member_-field> -- root-ca '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----'

Example Request

ksctl connectionmgmt ldap create --name "ldapConn" --server-url "ldap://172.27.0.6:389" --bind-dn "cn=admin,dc=planetexpress,dc=com" --bind-password "GoodNewsEveryone" --base-dn "dc=planetexpress,dc=com" --search-filter "(objectclass=User)" --user-login-attribute "uid" --group-base-dn "ou=people, dc=planetexpress, dc=com" --group-search-filter "(objectclass=Group)" --group-name-attribute "test1" --group-member-field "member"

Example Response

{
    "id": "200bb517-854a-43c8-af54-7bc12cd35eb0",
    "uri": "kylo:kylo:connectionmgmt:connections:ldapconn-200bb517-854a-43c8-af54-7bc12cd35eb0",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2022-07-28T07:48:09.151996264Z",
    "updatedAt": "2022-07-28T07:48:09.150581053Z",
    "service": "LDAP",
    "category": "IdP",
    "last_connection_ok": null,
    "last_connection_at": "0001-01-01T00:00:00Z",
    "name": "ldapConn",
    "server_url": "ldap://172.27.0.6:389",
    "insecure_skip_verify": false,
    "bind_dn": "cn=admin,dc=planetexpress,dc=com",
    "base_dn": "dc=planetexpress,dc=com",
    "search_filter": "(objectclass=User)",
    "user_login_attribute": "uid",
    "group_base_dn": "ou=people, dc=planetexpress, dc=com",
    "group_filter": "(objectclass=Group)",
    "group_name_attribute": "test1",
    "group_member_field": "member"
}

Getting Details of an LDAP Connection

To get details of an LDAP connection, run:

Syntax

ksctl connectionmgmt ldap get --id <connection-name/Id>

Example Request

ksctl connectionmgmt ldap get --id "ldapConn"

Example Response

{
    "id": "045f76ee-3407-445e-84cf-ede8bdddc688",
    "uri": "kylo:kylo:connectionmgmt:connections:ldapconn-045f76ee-3407-445e-84cf-ede8bdddc688",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2022-07-28T13:25:04.652637Z",
    "updatedAt": "2022-07-28T13:25:17.190261Z",
    "service": "LDAP",
    "category": "IdP",
    "last_connection_ok": null,
    "last_connection_at": "0001-01-01T00:00:00Z",
    "name": "ldapConn",
    "server_url": "ldap://54.27.0.7:389",
    "insecure_skip_verify": false,
    "bind_dn": "cn=admin,dc=planetexpress,dc=com",
    "base_dn": "dc=planetexpress,dc=com",
    "search_filter": "(objectclass=User)",
    "user_login_attribute": "uid",
    "group_base_dn": "ou=people, dc=planetexpress, dc=com",
    "group_filter": "(objectclass=Group)",
    "group_name_attribute": "test1",
    "group_member_field": "member"
}

Updating an LDAP Connection

To update an LDAP connection, run:

Syntax

ksctl connectionmgmt ldap modify --id <connection-name/Id> --server-url <url> --bind-dn <bind-dn> --bind-password <bind-password> --base-dn <base-dn> --search-filter <user-search-filter> --user-login-attribute <user-login-attribute> --group-base-dn <group-base-dn> --group-search-filter <group-search-filter> --group-name-attribute <group-name-attribute> --group-member-field <group-member_-field> -- root-ca '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----'

Example Request

ksctl connectionmgmt ldap modify --id "ldapConn" --server-url "ldap://54.27.0.7:389"

Example Response

{
    "id": "045f76ee-3407-445e-84cf-ede8bdddc688",
    "uri": "kylo:kylo:connectionmgmt:connections:ldapconn-045f76ee-3407-445e-84cf-ede8bdddc688",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2022-07-28T13:25:04.652637Z",
    "updatedAt": "2022-07-28T13:25:17.190260884Z",
    "service": "LDAP",
    "category": "IdP",
    "last_connection_ok": null,
    "last_connection_at": "0001-01-01T00:00:00Z",
    "name": "ldapConn",
    "server_url": "ldap://54.27.0.7:389",
    "insecure_skip_verify": false,
    "bind_dn": "cn=admin,dc=planetexpress,dc=com",
    "base_dn": "dc=planetexpress,dc=com",
    "search_filter": "(objectclass=User)",
    "user_login_attribute": "uid",
    "group_base_dn": "ou=people, dc=planetexpress, dc=com",
    "group_filter": "(objectclass=Group)",
    "group_name_attribute": "test1",
    "group_member_field": "member"
}

Deleting an LDAP Connection

To delete an LDAP connection, run:

Syntax

ksctl connectionmgmt ldap delete --id <connection-name/Id>

Example Request

ksctl connectionmgmt ldap delete --id "ldapConn"

There will be no response if the LDAP connection is deleted successfully.

Getting List of LDAP Connections

To list all the LDAP connections, run:

Syntax

ksctl connectionmgmt ldap list

Example Request

ksctl connectionmgmt ldap list

Example Response

{
    "skip": 0,
    "limit": 10,
    "total": 1,
    "resources": 
        [
            {
                "id": "045f76ee-3407-445e-84cf-ede8bdddc688",
                "uri": "kylo:kylo:connectionmgmt:connections:ldapconn-045f76ee-3407-445e-84cf-ede8bdddc688",
                "account": "kylo:kylo:admin:accounts:kylo",
                "createdAt": "2022-07-28T13:25:04.652637Z",
                "updatedAt": "2022-07-28T13:25:17.190261Z",
                "service": "LDAP",
                "category": "IdP",
                "last_connection_ok": null,
                "last_connection_at": "0001-01-01T00:00:00Z",
                "name": "ldapConn",
                "server_url": "ldap://54.27.0.7:389",
                "insecure_skip_verify": false,
                "bind_dn": "cn=admin,dc=planetexpress,dc=com",
                "base_dn": "dc=planetexpress,dc=com",
                "search_filter": "(objectclass=User)",
                "user_login_attribute": "uid",
                "group_base_dn": "ou=people, dc=planetexpress, dc=com",
                "group_filter": "(objectclass=Group)",
                "group_name_attribute": "test1",
                "group_member_field": "member"
            }
        ]
}

Testing an Existing LDAP Connection

To test an existing LDAP connection, run:

Syntax

ksctl connectionmgmt ldap test --id <connection-name/Id>

Example Request

ksctl connectionmgmt ldap test --id "045f76ee-3407-445e-84cf-ede8bdddc688"

Example Response

{
    "connection_ok": true
}

Testing a new LDAP Connection

To test the parameters of a new LDAP connection, run:

Syntax

ksctl connectionmgmt ldap test --server-url <url> --bind-dn <bind-dn> --bind-password <bind-password> --base-dn <base-dn> --search-filter <user-search-filter> --user-login-attribute <user-login-attribute> --group-base-dn <group-base-dn> --group-search-filter <group-search-filter> --group-name-attribute <group-name-attribute> --group-member-field <group-member_-field> -- root-ca '-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----'

Example Request

ksctl connectionmgmt ldap test --server-url "ldap://54.80.101.85:389" --bind-dn "cn=admin,dc=planetexpress,dc=com" --bind-password "GoodNewsEveryone" --base-dn "dc=planetexpress,dc=com" --search-filter "(objectclass=User)" --user-login-attribute "uid" --group-base-dn "ou=people, dc=planetexpress, dc=com" --group-search-filter "(objectclass=Group)" --group-name-attribute "test1" --group-member-field "member" --username "fry" --conn-password "fry"

Example Response

{
    "connection_ok": true
}