Skip to main content

Privacera Platform master publication

LDAP/LDAP-S
:
LDAP / LDAP-S

This topic covers how you can configure the Privacera Platform to attach and import users and groups defined in an external Active Directory (AD), LDAP, or LDAPS (LDAP over SSL)) directory as data access users and groups.

Prerequisites

Before starting these steps, prepare the following. You need to configure various Privacera properties with these values, as detailed in Configuration.

Determine the following LDAP values:

  • The FQDN and protocol (http or https) of your LDAP server

  • DN

  • Complete Bind DN

  • Bind DN password

  • Top-level search base

  • User search base

To configure an SSL-enabled LDAP-S server, Privacera requires an SSL certificate. You have these alternatives:

  • Set the Privacera property USERSYNC_SYNC_LDAP_SSL_ENABLED: "true".

  • Allow Privacera Manager to download and create the certificate based on the LDAP-S server URL. Set the Privacera property USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS: "true".

  • Manually configure a truststore on the Privacera server that contains the certificate of the LDAP-S server. Set the Privacera property USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS: "false".

Configuration
  1. SSH to instance as ${USER}.

  2. Run the following commands. See Access Manager LDAP-related properties and descriptions.

    USERSYNC_SYNC_LDAP_URL: "<PLEASE_CHANGE>"
    USERSYNC_SYNC_LDAP_BIND_DN: "<PLEASE_CHANGE>"
    USERSYNC_SYNC_LDAP_BIND_PASSWORD: "<PLEASE_CHANGE>"
    USERSYNC_SYNC_LDAP_SEARCH_BASE: "<PLEASE_CHANGE>"
    USERSYNC_SYNC_LDAP_USER_SEARCH_BASE: "<PLEASE_CHANGE>"
    USERSYNC_SYNC_LDAP_SSL_ENABLED: "true"
    USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS: "true"
    
  3. Run Privacera Manager update.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    
Configuration Properties

Property

Description

Example

USERSYNC_SYNC_LDAP_URL

"ldap://dir.ldap.us:389" (when NonSSL)

or

"ldaps://dir.ldap.us:636" (when SSL)

USERSYNC_SYNC_LDAP_BIND_DN

CN=Bind User,OU=example,DC=ad,DC=example,DC=com

USERSYNC_SYNC_LDAP_BIND_PASSWORD

USERSYNC_SYNC_LDAP_SEARCH_BASE

OU=example,DC=ad,DC=example,DC=com

USERSYNC_SYNC_LDAP_USER_SEARCH_BASE

USERSYNC_SYNC_LDAP_SSL_ENABLED

Set this to true if SSL is enabled on the LDAP server.

true

USERSYNC_SYNC_LDAP_SSL_PM_GEN_TS

Set this to true if you want Privacera Manager to generate the truststore certificate.

Set this to false if you want to manually provide the truststore certificate. To learn how to upload SSL certificates, [click here](../pm-ig/upload_custom_cert.md).

true