Configure the Vault for LDAP

Before you can integrate with LDAP, you must first configure the Vault.

Before configuring the Vault

Configure the Vault to recognize LDAP directories

The CyberArk Vault can be configured to recognize LDAP directories using parameter files that specify the directories that the Vault will recognize. Depending on how the directory is specified, the Vault can work in either of the following ways:

Define each directory separately – A parameter file that specifies exact details of a directory can be created. A separate file is required for each directory that the Vault will recognize.
Locate directories using LDAP referrals – The Vault can be configured to work with the built-in LDAP referrals capability in the active directory.

Users who belong to the Vault Admins group can configure LDAP directories in the Vault.

Configure LDAP over SSL connections (recommended):

On the Vault machine, import the CA Certificate that signed the certificate used by the External Directory into the Windows certificate store to facilitate an SSL connection between the Vault and the External Directory (recommended).

Domain name

If the PVWA or CPM cannot resolve the domain name, add DNS server configuration to the PVWA or CPM network interface configuration.

 

10.10.10.10 dc1.mydomain.com

As the Vault cannot be configured with a DNS server, add a row to the HOSTS file for every domain controller that specifies the IP address and corresponding domain name.

SSL-based encryption

To enable SSL-based encryption, configure LDAPS by providing an LDAPS certificate.

Export the domain certificate from a domain controller server and import it to the Trusted Root Certificates on both the Vault and PVWA servers, as follows

The LDAP integration wizard will connect to the specified domain using an SSL connection.

Next stepLDAP integration in the modern interface