Connect your LDAP directory server

Privilege Cloud integrates with LDAP directory servers to obtain user identification and security information. This enables Privilege Cloud to automatically provision users and groups.

To connect to LDAP you need the assistance of CyberArk support, in order to define the secure tunnel.

 

Secure tunnel must be deployed before you can connect to LDAP.

After you connect your LDAP directory server to Privilege Cloud, you can configure Privilege Cloud to provision users from your LDAP directory. For details, see LDAP integration.

CyberArk support requires the following information for integrating with LDAP.

Parameter

Details

Domain controllers name

FQDN

LDAPS certificates

The LDAPS certificates and chains for all domain controllers. For details, see Retrieve the LDAPS certificate and deliver it to CyberArk.

Retrieve the LDAPS certificate and deliver it to CyberArk

In order to establish a secure connection based on SSL, the entire certificate chain for the LDAP domain must be sent to CyberArk Support, to complete the integration.

Considerations:
  • You must retrieve individual certificates, as a trusted chain, from the LDAPS service of an LDAP host.

  • Ensure you extract and send the relevant certificates and their respective certificate chains for all domain controllers.

  • It is recommended to use the CyberArk LDAPS certificate tool to retrieve the certificates and their respective certificate chains. This tool performs certificate chain verification and outputs error message related to certificate chain verification failures.

  • Export the certificates to a .zip file and provide this zip file to CyberArk Support to complete the integration.

  • If you are using an alternative tool to retrieve the certificates and their respective certificate chains, ensure the certificates are retrieved in one of the following supported formats: .der, .crt, .cer, .pem.

  • You are responsible for tracking the expiration date of your certificate. If your certificate is about to expire, or has expired, contact CyberArk support@cyberark.com and open a support ticket. See Renew an expired certificate.

export the certificate using CyberArk LDAPS certificate tool:

  1. Locate the Privilege Cloud Tools folder that you downloaded in Prepare your machine.
  2. In the local folder, run the LDAPSCertificateTool.exe.
  3. Enter the LDAPS Host and Port, and then click Check Chain.
  4. In Export Package, enter the path where you want the zip file to be saved, and click Export.
  5. Send the output zip file to CyberArk Support to complete the integration.

Renew an expired certificate

You are responsible for tracking the expiration date of your certificate and renewing it as required.

To renew a certificate:
  1. Generate a new certificate. For details, see Retrieve the LDAPS certificate and deliver it to CyberArk

  2. Open a support ticket with CyberArk.

  3. Indicate if this is a service request to upload a new certificate set or to renew your certificate.

  4. Enter the subdomain of your tenant (the first part of the URL of your Privilege Cloud environment).

  5. Attach the certificate in the ticket.