25.4. Configuring Integration with a Directory Service
Prev UpChapter 25. Integration with OpenLDAP and Active DirectoryHome Next

25.4. Configuring Integration with a Directory Service #

  1. In the ppem-manager.yml manager configuration file, add the ldap section and specify integration parameters:

    • OpenLDAP: 

      ldap:
type: directory_service_type
url: directory_service_network_address
use_ssl: true or false
base_dn: directory_service_base_DN
bind_username: directory_service_username
bind_password: directory_service_user_password
group_class: user_group_object_class
group_members_attr: user_group_member_attribute
group_name_attr: user_group_name_attribute
prefix_group_dn: DN_prefix_for_user_groups
prefix_user_dn: DN_prefix_for_users
user_class: user_object_class
user_display_name_attr: user_display_name_attribute
user_email_attr: user_email_attribute
user_name_attr: user_login_attribute
user_first_name_attr: user_first_name_attribute
user_last_name_attr: user_last_name_attribute
user_job_title_attr: user_job_title_attribute
user_membership_attr: user_group_membership_attribute
user_phone_attr: user_phone_attribute
user_sync_interval: manager_and_directory_service_synchronization_time

    • Active Directory: 

      ldap:
type: directory_service_type
url: directory_service_network_address
base_dn: directory_service_base_DN
bind_username: directory_service_username
bind_password: directory_service_user_password
user_sync_interval: manager_and_directory_service_synchronization_time

    Where:

    • type: The type of the directory service.

      Possible values:

      • openldap

      • ms_active_directory

    • url: The network address of the directory service.

    • bind_username: The name of the directory service user for integration with PPEM.

      The value format depends on the directory service:

      • For OpenLDAP, a complete distinguished name (DN) is usually specified. For example, cn=admin,ou=users,dc=example,dc=com.

      • For Active Directory, a value in the username@domain format is usually specified. For example, admin@example.com.

    • bind_password: The password of the directory service user for integrating with PPEM.

    • base_dn: The base distinguished name of the directory service.

    • prefix_user_dn: The distinguished name prefix for users.

      If this parameter is specified, users are searched using the prefix_user_dn,base_dn distinguished name. To search for users in the entire directory, specify "".

      Optional parameter.

    • prefix_group_dn: The distinguished name prefix for user groups.

      If this parameter is specified, user groups are searched using the prefix_group_dn,base_dn distinguished name. To search for user groups in the entire directory, specify "".

      Optional parameter.

    • user_class: The name of the user object class.

      Optional parameter for Active Directory.

    • user_name_attr: The name of the user login attribute.

      Default value: cn for OpenLDAP, sAMAccountName for Active Directory.

      Optional parameter for Active Directory.

    • user_first_name_attr: The name of the user first name attribute.

      Default value: givenName.

      Optional parameter.

    • user_last_name_attr: The name of the user last name attribute.

      Default value: sn.

      Optional parameter.

    • user_display_name_attr: The name of the user display name attribute.

      Default value: displayName.

      Optional parameter.

    • user_email_attr: The name of the user email address attribute.

      Default value: mail.

      Optional parameter.

    • user_phone_attr: The name of the user phone number attribute.

      Default value: telephoneNumber.

      Optional parameter.

    • user_job_title_attr: The name of the user job title attribute.

      Default value: title.

      Optional parameter.

    • user_membership_attr: The name of the user group membership attribute.

      Default value for Active Directory: memberOf.

      Optional parameter.

    • group_class: The name of the user group object class.

      Default value for Active Directory: group.

    • group_name_attr: The name of the user group name attribute.

      Default value: cn.

      Optional parameter.

    • group_members_attr: The name of the group member attribute.

    • group_filter: The filter for searching user groups. For example, (&(objectClass=group)(cn=*PPEM*)).

      Optional parameter.

    • group_membership_filter: The filter for searching groups of which the specified user is a member. For example, (&(objectClass=group)(uniqueMember=%USER_DN%)).

      Optional parameter.

    • group_list_size_limit: The maximum number of user groups that can be received from the directory service.

      Optional parameter.

    • user_sync_interval: Synchronization time between the manager and directory service.

      Default value: 5m.

      Optional parameter.

    • ssl_cert_skip_verify: Specifies whether verification of the directory service server certificate is skipped.

      Possible values:

      • true

      • false

      Optional parameter.

    • ssl_root_ca: The path to the file in the PEM format with the CA certificate on the directory service server.

      Optional parameter.

  2. Restart the PPEM service: 

    systemctl restart ppem.service
Prev Up Next
25.3. Creating a User Group in Active Directory Using PowerShell Home 25.5. Configuring Authorization in PPEM