LDAP integration

This topic describes how to connect to a domain, and create, edit and delete directory mappings.

Overview

Privilege Cloud integrates with LDAP directory servers to obtain user identification and security information. This enables Privilege Cloud to automatically provision users and groups.

LDAP users are provisioned using directory maps. A directory map determines whether a user account or group may be created in Privilege Cloud, and according to which criteria. Each map contains rules, which specify the users and groups who can access Privilege Cloud, and a template which contains the security attributes and authorizations that are applied when an LDAP user account is created.

Privilege Cloud includes built-in directory maps for the most common user roles. You can use these directory maps immediately and modify them with relevant mapping rules according to your enterprise standards, or create new directory maps.

Before you can configure your directory mappings in the Privilege Cloud Portal, you must first configure your connection to the LDAP server. For details, see Connect your LDAP directory server.

Before you begin

Only LDAP users assigned to LDAP groups are integrated into Privilege Cloud. Ensure all relevant users are assigned to predefined groups that are mapped to Privilege Cloud roles.
Only LDAP users that are enabled are integrated into Privilege Cloud. Ensure all relevant users are enabled.
Check encryption ciphers.

Supported cipher suites for encrypted communication between CyberArk backend and LDAP integrations

ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

ECDHE_RSA_WITH_AES_256_GCM_SHA384

ECDHE_RSA_WITH_AES_128_GCM_SHA256

DHE_RSA_WITH_AES_256_GCM_SHA384

DHE_RSA_WITH_AES_128_GCM_SHA256

Connect to your domain

Before you can create directory mappings, you must first define the LDAP domain to which you want to connect.

To connect to a new domain:

Log on to the Privilege Cloud Portal, and then click User Provisioning > LDAP Integration .
On the LDAP Integration page, click New Domain.

In Define domain, enter the following information, and then click Next.

Setting	Description
Domain name	The FQDN of the first domain controller that you set up in the Secure Tunnel. For details, see Deploy Secure Tunnel.
Use Secure connection (SSL)	Privilege Cloud requires LDAPS. Do not change this setting. Make sure that you provided the LDAPS certificates, as described in Retrieve the LDAPS certificate and deliver it to CyberArk.
Bind user name	The name of the user that will be used to connect to the domain. Use either of the following structures: user@<domain>.com or <domain>.com\user. Note: This user must have Read-Only access to the domain and no other permissions. They cannot be a member of a privileged domain group.
Bind user password	The password of the user that will be used to connect to the domain.
Domain base context	The base context of the domain to connect to. Specify the search base used to locate the groups where the LDAP user is a member of. For example: DC=MyDomain,DC=com

In Select domain controllers, the detected domain controllers are displayed in a list, select the first domain controller that you set up in the Secure Tunnel (for details, see Deploy Secure Tunnel, and then click Next.

Activate Show only selected to view only the domain controllers that will be mapped.

For defining additional domain controllers, contact CyberArk support.

The Create directory mapping lists four default maps that represent the basic administrative roles in Privilege Cloud.

Default maps

Role	Description	Added to Vault groups
Vault Admins	A highly privileged role for users who manage Privilege Cloud.	Vault Admins PVWAMonitor
Safe managers	Users who manage users, create safes, and create accounts.	PVWAMonitor
Auditors	Users who have access to information such as audit logs, reports, and session recordings.	Auditors PVWAMonitor
Users	A default role for all other users. It allows users to log on to the system, but does not give them any administrative permissions. Other permissions are determined by safe membership. For details, see Manage Safe members.

Click Define map next to the map, then specify the name of the user or group as it is written in the Active Directory. Click View users to display the users and groups in the selected LDAP group.

External groups are created for the LDAP groups that you mapped using default mapping rules. Each external group is added to its corresponding Vault group.

The Summary page lists the specified mapping and directory details.
Check that the mapping and directory are correct, then click Save.

Add directory mapping

In addition to the default mappings created in the domain, you can add new directory mappings.

To add a directory mapping:

In the Privilege Cloud Portal, click User Provisioning > LDAP Integration.
On the LDAP Integration page, click Add Mapping.

On the Define map properties page, enter the following information, and then click Next.

Field	Description
Map name	The unique name of the directory mapping. Ensure that the map name you define differs from the LDAP group you are mapping. If the map name is identical to the LDAP group name, the directory mapping will fail.
Map order	The order in which the directory maps are matched with users and groups from the External Directory when determining if they can be created in the Vault. The arrows next to the list enable you to move maps higher or lower in the list, altering their priority.
Activity logs	The number of days that activity logs are kept.

Field

Description

Map name

The unique name of the directory mapping.

Ensure that the map name you define differs from the LDAP group you are mapping. If the map name is identical to the LDAP group name, the directory mapping will fail.

Map order

The order in which the directory maps are matched with users and groups from the External Directory when determining if they can be created in the Vault.

The arrows next to the list enable you to move maps higher or lower in the list, altering their priority.

Activity logs

The number of days that activity logs are kept.

On the Set mapping scope page, select the LDAP group, and then click Next.

Click View users to see the users that belong to the group.
On the Set vault authorization page, select the authorizations to grant the users, and then click Next.

Manage LDAP users and groups

You cannot edit the security attributes or authorizations of LDAP users and groups in the Privilege Cloud Portal. You can only edit them in the directory itself.

Changes made to the user's attributes are updated by the directory map when the user logs on to the Privilege Cloud Portal. For details, see LDAP user.