Configuring an LDAP connection

An LDAP connection allows Trust Protection Foundation to read user and group data directly from an LDAP identity provider, such as Oracle Directory Server Enterprise Edition (ODSEE).

Because LDAP connections are read-only, you manage all your external users and groups within your LDAP directory, but you assign their permissions internally within the Trust Protection Foundation consoles.

Trust Protection Foundation supports LDAP identity object connections to providers using any of the following Internet protocols:

  • IPv4 or IPv6-only connections
  • IPv4 or IPv6 dual-stack (DS) connections

Prerequisites

To establish the connection, you need the following:

  • The fully qualified DNS host name or IP address of your LDAP server.
  • The port number used for the connection (typically 389 for standard LDAP, or 636 for LDAPS/StartTLS).
  • LDAP authentication credentials that have permission to read the server. You must provide this account in the Distinguished Name (DN) format (for example, cn=Administrator,cn=Users,dc=example,dc=com).
  • If you plan to use an encrypted connection, you must have downloaded and installed the certificates required to establish an SSL connection with the LDAP server.
  • If you are using ODSEE, you can configure the LdapVendor.Oracle-DSee-11g.xml file to match your environment settings. For additional information about configuring for other vendors, contact Customer Support.

To create an LDAP connector

  1. On the CyberArk server, open the CyberArk Configuration Console and navigate to the Connectors node.
  2. In the Actions panel, under Create Identity Connectors, click LDAP Connector.
  3. On the Welcome page, log in with your master administrator credentials if prompted, and then click Next.
  4. On the Before You Begin page, read the requirements and click Next.

  5. On the Connection Information page, complete the following fields, and then click Next:

    Parameter name Description
    Name / Address A fully qualified DNS host name or IP address of the LDAP directory that requires connectivity to Trust Protection Foundation.
    Port The port number for the connection. The default port is 636 for Lightweight Directory Access Protocol over TLS/SSL, or 389 for unencrypted connections.
    Timeout The maximum number of seconds to search the provider for identity information.
    Encryption The kind of encryption to use. Select one of the following: No Encryption (not recommended), Use SSL Encryption (ldaps://) Use StartTLS Extension.
    Disable certificate revocation check (Optional) Bypass checking the revocation list to determine whether the encryption certificate is revoked.
    Allow anonymous binds (Optional) Retrieve the initial binding context to the identity provider. If this option is cleared, the wizard connects via the user name and password that you supply on the next screen of the wizard. To retrieve the required naming contexts, the wizard anonymously binds only for the purpose of reading the rootDSE. All subsequent actions performed by the wizard will always perform a user bind.
    Expert Mode (checkbox on the Connection page) (Optional) When enabled, Expert Mode allows the wizard to override the Search Base chosen on the Search Base page and lets you select a vendor map file on the Vendor Selection page without performing the usual vendor schema validation. The normal wizard flow (when Expert Mode is disabled) requires elevated LDAP permissions to perform automatic vendor discovery; Expert Mode bypasses this automatic discovery, allowing setup with more limited LDAP permissions when you already know the correct vendor configuration. Use Expert Mode only when instructed by your LDAP administrator. Applies to LDAP connectors only.
    Use 'Member Of' for group membership resolution (Optional) Allow group membership resolution.
    Disable user and group search validation by wizard (Optional) Bypass validating the users and groups.

  6. On the Authentication Credentials page, enter the User DN and Password for your LDAP service account, and then click Next.
    An example User DN: cn=Admin,dc=odsee-qa,dc=example,dc=com.

    NOTE  Optional setting: Do not configure as Master Admin (checkbox on the Authentication Credentials page)

    If you select Do not configure as Master Admin, the wizard will not automatically configure the LDAP service account as a Master Admin in the CyberArk Configuration Console (VCC). Use this option when your organization prohibits using service accounts for everyday logins; in those environments the service account may not be visible in regular user searches.

    IMPORTANT  Post-configuration step: If you enable Do not configure as Master Admin, you must manually assign the initial Master Admin for this connector after creation. To do so, open the CyberArk Configuration Console, navigate to the System Roles node, and add or assign an appropriate user or group the Master Admin role for this connector.

  7. On the Search Base page, select the default container from the list to search for user and group folders, and then click Next.

    NOTE  No folders higher in the tree than the default container you select here will be visible in future searches.

    NOTE  Expert Mode behavior

    If you enabled Expert Mode on the Connection page (see the Connection Information table), the wizard may override this Search Base during discovery. After the connector is created, verify the Search Base in the connector Properties.

  8. On the Vendor Selection page, select the name of the vendor for this identity connector.

  9. NOTE  Vendor Selection and Expert Mode

    If you enabled Expert Mode on the Connection page, the wizard lets you select a vendor map file without performing the normal vendor schema validation. Use Expert Mode only when directed by your LDAP administrator.

  10. On the User Search Root page, optionally type a folder search value in the Container Search Filter box and click Refresh to narrow the list. Select the user containers you want to include in the search, and then click Next.
  11. On the Group Search Root page, either select Match User Search Containers to replicate your previous selections, or manually expand the tree to select the specific group containers you want to include. Click Next.

  12. On the Finalization page, complete the following fields:

    Parameter name Description
    Object Name A name for your new LDAP provider object that appears in the administration consoles. Choose a unique name that helps administrators recognize the provider.
    Friendly Name A friendly name for the connection. This name acts as a prefix if end-users need to explicitly route their login to this directory (for example, LDAP+FriendlyName:username).
    Rank The order the identity connectors are searched when looking for users. Trust Protection Foundation searches for users starting with the lowest rank number first. In a case where there are identical names, such as Administrator, the system finds the first instance. If the password is incorrect, no additional searches occur in the other providers.
  13. Click Finish.
  14. Restart the Trust Protection Foundation service, the Log Server service, and IIS on all Trust Protection Foundation servers in the cluster.

Map your LDAP Lockout Attribute to prevent unauthorized access

If an employee is locked out of your LDAP directory, they might still be able to authenticate to Trust Protection Foundation, because identities are cached for 10 minutes. If the lockout attribute is not explicitly mapped, a locked-out LDAP user can still obtain a new OAuth token with a refresh token, authenticate via SAML, or authenticate using a client certificate.

Because LDAP provider implementations vary, you must manually update the connector to explicitly recognize your directory's lockout attribute:

  1. In the CyberArk Configuration Console, navigate to the Connectors node and open your LDAP identity connector's Properties.
  2. On the General tab, find the Lockout Attribute field.
  3. Type the exact attribute name used by your specific LDAP provider to indicate an intruder lockout.

What's next?

Your LDAP users can now log in to the system. By default, Trust Protection Foundation verifies their credentials by securely passing the password the user enters on the login screen directly to your LDAP server.

If you want to bypass local password entry and instead delegate credential verification for these users to an external identity provider, proceed to Configuring single sign-on for an identity connector to map this directory to an OpenID Connect (OIDC) or SAML profile.