Add LDAP as a directory service

This topic describes how to add LDAP as a directory service so your LDAP users can authenticate to CyberArk Identity.

About LDAP CyberArk Identity Connector interface

  • To provision users based on on-prem directory services, you must first install the CyberArk Identity Connector.

  • LDAP communicates with the CyberArk Identity Connector over TLS/SSL on port 636.

  • As part of the client/server handshake between the connector and the LDAP server, the LDAP server must present the connector with an X.509 certificate.

  • To establish a trust relationship between the connector and the LDAP server, you must install the CA certificate that issued the LDAP server’s Server Authentication certificate on the machine running the CyberArk Identity Connector (specifically, the Local Computer Trusted Root Certification Authorities certificate store).

Before you begin

Your LDAP servers must meet the following minimum requirements before you add LDAP as a directory service.

  • The server must support reading of the server's Root DSE (RFC 4512, section 5.1), and the Root DSE attributes must indicate that the server supports the LDAPv3 protocol.

    As LDAPv2 was retired in 2003, most current servers will meet this requirement; however, any server that fails to meet these requirements is not supported.

  • A per-entry attribute that can be used as a server-scope unique identifier is required.

    This attribute should be invariant, i.e. it should never change for the lifetime of the entry. This will default to the DN, but if the DN is liable to change in your installation you can specify a different attribute. In this case an operational attribute such as entryUuid is preferred. If your LDAP server/schema lacks this operational attribute then you can try using a "unique" structural attribute as an alternative, but CyberArk does not recommend or support this.

    In either case, if the attribute ever changes then the user/group that it represents will be seen as a different user/group, resulting in orphaned users, "lost" OATH tokens, and deleted app settings and assignments. It is extremely important that care be taken to select an appropriate attribute. Information about best practices for selecting an attribute for this purpose can be found here.

    The selected attribute may not be changed after the configuration is created.

  • An attribute containing the user's login name must exist and must be able to be queried to obtain the entity's DN, and a simple bind using that DN and a provided credential must be able to be successfully completed.

  • The server must support the Modify Password Extended Operation for password reset/change to work as expected.

CyberArk's LDAP support is flexible enough that you could successfully configure a servers that doesn't meet the minimal requirements; however, CyberArk does not recommend or support servers that do not meet the minimal requirements.

Add LDAP as a directory service

The following procedures describe how to add LDAP as a directory service in CyberArk Identity .

Step 1: To add LDAP as a directory service

  1. Log in to the Identity Administration portal as a system administrator and go to Settings > Users > Directory Service > Add LDAP Directory.

  2. Provide the required information.

  3. Click the Mappings tab.

    To set up a mapping for your LDAP, edit the attribute names in the right column to the names of the attributes in your LDAP schema that fulfill the description in the left column.

The attribute mapping for Unique Identifier cannot be modified after saving the configuration.

  1. Click Connectors and select the CyberArk Identity Connector to use with this service or let the LDAP server find an available cloud connector.

  2. Click Save.

LDAP users are now available in CyberArk Identity. Add them to Roles so you can grant permissions to applications, enforce authentication profiles, and more.

Step 2: Test the attribute mapping

Once you have completed mapping the LDAP service, click the Test button and enter the login name of the user you wish to test. The user entry is loaded from the LDAP server and the attribute mapping results for that user are displayed.

Update an existing LDAP Directory Service

To update an existing LDAP Directory Service instance, perform the following steps.

  1. Log in to the Admin Portal as a system administrator.

  2. Click Settings > Users > DirectoryServices and click an existing LDAP Directory Service instance.

  3. Update the values needed and click Save.

Delete an LDAP Directory Service

To delete an LDAP Directory Service, perform the following steps.

  1. Log in to the Admin Portal as a system administrator.

  2. Click Settings > Users > DirectoryServices and select an existing LDAP Directory Service account.

  3. Navigate to Actions and choose Delete from the dropdown.