Skip to content

LDAP/AD Integration

Privacera portal supports LDAP/AD user directories for login authentication.

  1. Edit the Privacera Portal properties file to set the following properties:​

    vi ~/privacera/docker/privacera/portal/conf/application-custom.properties
    
    # Eg. auth.ldap.enabled=true
    auth.ldap.enabled=${true/false}
    
    # Eg. authentication.ldap.primaryUrl=localhost:389
    authentication.ldap.primaryUrl=${LDAP_PRIMARY_URL}
    
    # Eg. authentication.ldap.useSSL=true
    authentication.ldap.useSSL=${true/false}
    
    # Eg. authentication.ldap.baseDn=DC=example,DC=com
    authentication.ldap.baseDn=DC=${BASE_DN},DC=${DC}
    
    # Eg. authentication.ldap.privacera.bind.dn=CN=Bind User,OU=example,DC=example,DC=com
    authentication.ldap.privacera.bind.dn=CN=Bind User,OU=example,DC=example,DC=com
    
    # Eg. authentication.ldap.privacera.bind.password=password
    authentication.ldap.privacera.bind.password=${PASSWORD}
    
    # Eg. authentication.ldap.dnAttribute=dc
    authentication.ldap.dnAttribute=${DN_ATTRIBUTE}
    
    # Eg. authentication.ldap.usernameAttribute=sAMAccountName
    authentication.ldap.usernameAttribute=${ACCOUNT_NAME}
    
    # Eg. authentication.ldap.userBase=ou=example,dc=example,dc=com
    authentication.ldap.userBase=ou=example,dc=example,dc=com
    
    # Eg. authentication.ldap.groupBase=OU=example,DC=example,DC=com
    authentication.ldap.groupBase=OU=example,DC=example,DC=com
    
    # Eg. authentication.ldap.bindAnonymously=false
    authentication.ldap.bindAnonymously=${true/false}
    
    (Optional) # Eg. authorization.ldap.groupSearchFilter=filter12
    authorization.ldap.groupSearchFilter=${FILTER}
    
  2. If LDAP/AD is SSL enabled, set these values.

    authentication.ldap.useSSL=true
    # Eg. authentication.ldap.primaryUrl=localhost:636
    authentication.ldap.primaryUrl=${LDAP_PRIMARY_URL}
    
  3. Save and close \~/privacera/docker/privacera/portal/conf/application-custom.properties

  4. Create and add an LDAP server certificate.

  5. Create an LDAP server certificate using following command:​

    echo -n | openssl s_client -connect {HOST}:{PORT} | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem
    
  6. Add the certificate into the cacerts keystore.

     Eg. keytool -import -alias ldap -keystore /home/privacera-admin/privacera/docker/ad-truststore.jks -file ad.pem
     ${JAVA_HOME}/bin/keytool -import  -alias ${ALIAS} -keystore ${JAVA_HOME}/jre/lib/security/cacerts -file ldapserver.pem
    
  7. Copy the keystore to the Privacera install location: \~/privacera/docker/privacera/portal/conf

  8. Edit and modify ~/privacera/docker/privacera/portal/bin/run.sh to set the following entries. Substitute your keystore and truststore passwords for and .​

    export PRIVACERA_PORTAL_KEYSTORE_LOCATION=<path_to_truststore_file>
    export PRIVACERA_PORTAL_KEYSTORE_TYPE=jks
    export PRIVACERA_PORTAL_KEYSTORE_PASSWORD=<keystore-file-password>
    export PRIVACERA_PORTAL_TRUSTSTORE_LOCATION=<path_to_truststore_file>
    export PRIVACERA_PORTAL_TRUSTSTORE_TYPE=jks
    export PRIVACERA_PORTAL_TRUSTSTORE_PASSWORD=<truststore-file-password>
    export PRIVACERA_PORTAL_SSL=true
    
  9. Restart the Privacera Portal.​

    cd privacera/docker
    ./privacera_services restart privacera
    

Example Portal Properties File#

File: privacera/portal/conf/application-custom.properties:

# Eg. privacera.portal.host.url=http://privacera_portal_prod:6868. It can be instance public host url and default port is 6868
privacera.portal.host.url=https://<Privacera Host>:6868

#For Cloud Access Manager - Common
privacera.dataserver.proxy.host=10.2.9.69
privacera.dataserver.proxy.port=8181
privacera.dataserver.env=Production

#For Cloud Access Manager - AWS
privacera.dataserver.ssl.enable=false
privacera.dataserver.endpoint.host=10.2.9.69
privacera.dataserver.endpoint.port=8181

#For Native Cloud Deployment of Privacera
privacera.portal.cloud.mode=true

#For access AWS Console from Privacera Portal -> Launch Pad -> AWS Console
#Change these properties only after consulting with Privacera Support
server.tomcat.basedir=/opt/privacera/portal/tomcat

#ranger ui
privacera.portal.ui.feature.ranger=enable
zuul.routes.ranger.path=/ranger/**
zuul.routes.ranger.url=http://ranger:6080
ranger.username=admin
ranger.password=welcome1
zuul.sensitiveHeaders=Cookie,Set-Cookie

#Disable ranger kms
#privacera.portal.crypto.ranger.enabled=false
#external kms - Ranger KMS example
privacera.portal.crypto.ranger.enabled=true
privacera.portal.ranger.kms.base.url=http://x.x.x.x:9292/kms/v1
privacera.portal.ranger.kms.password=xxxxx
privacera.portal.ranger.kms.username=keyadmin
privacera.portal.ui.feature.crypto=enable
privacera.crypto.install.enabled=true
#ldap
# Eg. auth.ldap.enabled=true
auth.ldap.enabled=true

# Eg. authentication.ldap.primaryUrl=localhost:636
#authentication.ldap.primaryUrl=ipa.cazena.internal:636
authentication.ldap.primaryUrl=ip-x-x-x-x.cazena.internal:636

# Eg. authentication.ldap.useSSL=true
authentication.ldap.useSSL=true

# Eg. authentication.ldap.baseDn=DC=example,DC=com
authentication.ldap.baseDn=cn=accounts,dc=cazena,dc=internal

# Eg. authentication.ldap.privacera.bind.dn=CN=Bind User,OU=example,DC=example,DC=com

authentication.ldap.privacera.bind.dn=uid=privacera-admin,cn=users,cn=accounts,dc=cazena,dc=internal

# Eg. authentication.ldap.privacera.bind.password=password

authentication.ldap.privacera.bind.password=xxxxxx

# Eg. authentication.ldap.dnAttribute=dc
authentication.ldap.dnAttribute=dc

# Eg. authentication.ldap.usernameAttribute=sAMAccountName
authentication.ldap.usernameAttribute=uid

# Eg. authentication.ldap.userBase=ou=example,dc=example,dc=com
authentication.ldap.userBase=cn=accounts,dc=cazena,dc=internal

# Eg. authentication.ldap.groupBase=OU=example,DC=example,DC=com
authentication.ldap.groupBase=cn=accounts,dc=cazena,dc=internal

# Eg. authentication.ldap.bindAnonymously=false
authentication.ldap.bindAnonymously=false

# Ignore below if not required
# Eg. authorization.ldap.groupSearchFilter=filter12
authorization.ldap.groupSearchFilter=
#
#ssl

#zuul.routes.ranger.url=https://ranger:6182
server.ssl.enabled=true
server.ssl.key-alias=1
server.ssl.key-store=/opt/privacera/portal/conf/cz_server_keystore.jks
server.ssl.key-store-password=xxxxxx
server.ssl.keyStoreType=JKS
#ranger.truststore.cert.path=/opt/privacera/portal/conf/ranger-admin-trust.cer

[privacera-admin@gw1-appcloud docker]$

[privacera-admin@gw1-appcloud docker]$ cat privacera/portal/bin/run.sh
#!/bin/bash
#export PRIVACERA_PORTAL_SERVER_MODE=MASTER
export PRIVACERA_PORTAL_CONF_DIR=/opt/privacera/portal/conf
export PRIVACERA_PORTAL_BIN_DIR=/opt/privacera/portal/bin
export PRIVACERA_PORTAL_LOG_DIR=/opt/privacera/portal/logs
export PID_FILE=/opt/privacera/portal/run/privacera_portal.pid
export PRIVACERA_ATLAS_SSL_ENABLE=False
export PRIVACERA_ATLAS_KEYSTORE_TYPE=
export PRIVACERA_ATLAS_KEYSTORE_LOCATION=
export PRIVACERA_ATLAS_TRUSTSTORE_TYPE=
export PRIVACERA_ATLAS_TRUSTSTORE_LOCATION=
export PRIVACERA_ATLAS_CERT_PROVIDER_LOCATION=
export PRIVACERA_PORTAL_SSL=true
export PRIVACERA_PORTAL_KEYSTORE_LOCATION=
export PRIVACERA_PORTAL_KEYSTORE_TYPE=
export PRIVACERA_PORTAL_KEYSTORE_PASSWORD=
export PRIVACERA_PORTAL_TRUSTSTORE_LOCATION=/opt/privacera/portal/conf/ad-truststore.jks
export PRIVACERA_PORTAL_TRUSTSTORE_TYPE=jks
export PRIVACERA_PORTAL_TRUSTSTORE_PASSWORD=xxxxxxx
/opt/privacera/portal/privacera_portal_service_docker_v1.sh $1
[privacera-admin@gw1-appcloud docker]$

The value PRIVACERA_PORTAL_TRUSTSTORE_LOCATION is obtained as follows:

echo -n | openssl s_client -connect ipa.cazena.internal:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ad.pem
keytool -import -alias ldap -keystore /home/privacera-admin/privacera/docker/ad-truststore.jks -file ad.pem
cp ad-truststore.jks privacera/portal/conf/
keytool -v -list -keystore /cazena/cert/cz_server_keystore.jks

Last update: July 23, 2021