Skip to main content

Privacera Documentation

Connect Privacera Platform portal users from LDAP

You can configure the Privacera portal to reference an external LDAP or LDAP over SSL directory to authenticate users.

Prerequisites

Determine the following LDAP values:

  • FQDN and protocol (http or https) of your LDAP server

  • Complete Bind DN

  • Bind DN password

  • Top-level search base

  • User search base

  • Group search base

  • Username attribute

  • DN attribute

To configure an SSL-enabled LDAP server, Privacera requires an SSL certificate. You have these alternatives:

  • Set the Privacera property PORTAL_LDAP_SSL_ENABLED: "true".

  • Allow Privacera Manager to download and create the certificate based on the LDAP server URL. Set the Privacera property PORTAL_LDAP_SSL_PM_GEN_TS: "true".

  • Manually configure a truststore on the Privacera server that contains the certificate of the LDAP server. Set the Privacera property PORTAL_LDAP_SSL_PM_GEN_TS: "false".

Procedure

To configure the Privacera portal to reference an external LDAP directory:

  1. SSH to the instance where Privacera is installed.

  2. Run the following commands:

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.portal.ldaps.yml config/custom-vars/
    vi config/custom-vars/vars.portal.ldaps.yml
    
  3. Uncomment the properties and edit the configurations as required. For property details and description, see LDAP Privacera Platform portal configuration properties.

    PORTAL_LDAP_ENABLE: "true"
    PORTAL_LDAP_URL: "<PLEASE_CHANGE>"
    PORTAL_LDAP_BIND_DN: "<PLEASE_CHANGE>"
    PORTAL_LDAP_BIND_PASSWORD: "<PLEASE_CHANGE>"
    PORTAL_LDAP_SEARCH_BASE: "<PLEASE_CHANGE>"
    PORTAL_LDAP_USER_SEARCH_BASE: "<PLEASE_CHANGE>"
    PORTAL_LDAP_GROUP_SEARCH_BASE: "<PLEASE_CHANGE>"
    PORTAL_LDAP_USERNAME_ATTRIBUTE: "<PLEASE_CHANGE>"
    PORTAL_LDAP_DN_ATTRIBUTE: "<PLEASE_CHANGE>"
    PORTAL_LDAP_BIND_ANONYMOUSLY: "false"
    PORTAL_LDAP_SSL_ENABLED: "true"
    PORTAL_LDAP_SSL_PM_GEN_TS: "true"
    
  4. Run the Privacera Manager update.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

LDAP Privacera Platform portal configuration properties

Property

Description

Example

PORTAL_LDAP_URL

Add value as "LDAP_HOST: LDAP_PORT

xxx.example.com:983

PORTAL_LDAP_BIND_DN

CN=Bind User,OU=example,DC=ad,DC=example,DC=com

PORTAL_LDAP_BIND_PASSWORD

Add the password for LDAP

PORTAL_LDAP_SEARCH_BASE

ou=example,dc=ad,dc=example,dc=com

PORTAL_LDAP_USER_SEARCH_BASE

ou=example,dc=ad,dc=example,dc=com

PORTAL_LDAP_GROUP_SEARCH_BASE

OU=example_services,OU=example,DC=ad,DC=example,DC=com

PORTAL_LDAP_USERNAME_ATTRIBUTE

sAMAccountName

PORTAL_LDAP_DN_ATTRIBUTE

PORTAL_LDAP_DN_ATTRIBUTE: dc

PORTAL_LDAP_SSL_ENABLED

For SSL enabled LDAP server, set this value to true.

true

PORTAL_LDAP_SSL_PM_GEN_TS

Set this to true if you want Privacera Manager to generate the truststore for your ldaps server.

Set this to false if you want to manually provide the truststore certificate. To learn how to upload SSL certificates, [click here](../pm-ig/upload_custom_cert.md).

true

Map LDAP roles to existing Privacera roles

You can map LDAP user roles to Privacera roles using Privacera LDAP Role Mapping. LDAP Role Mapping allows you to use Privacera's access control with LDAP user roles.

To map LDAP roles to Privacera roles:

  1. Log in to Privacera Portal using padmin user credentials or as a user with Privacera ROLE_SYSADMIN role.

  2. From the navigation menu, select Settings > System Configurations.

  3. Select Custom Properties .

  4. Click on Add Property and enter the new property: auth.ldap.enabled=true.

  5. Click Save.

  6. Go to Settings > LDAP Role Mapping.

  7. Add the appropriate role mappings.

    Now, when you log back in with an LDAP user, you will see the new user role. This LDAP user login can be done after the LDAP setup with Privacera Manager is completed.