LDAP Vendors in SecureTrack

Overview

LDAP vendors can be used for user authentication in SecureTrack. You can add custom LDAP vendors, which are not included in the TOS Aurora installation, change attributes for existing LDAP vendors, delete attributes or LDAP vendors, and retrieve LDAP vendor configuration.

By default, TOS Aurora includes the following LDAP vendors in SecureTrack:

  • Active Directory

  • OpenLDAP

  • Sun

To add, modify, or delete vendors in SecureChange, contact Turin Support.

LDAP vendors must support LDAPv3 protocol.

Add/Modify LDAP Vendors

The set_ldap_vendor_configuration command allows you do add, modify, and delete LDAP vendors and attributes.

  • To add an LDAP vendor, add an attribute and the vendor is created automatically.

  • To modify an LDAP vendor, add or update its attributes.

  • To delete an LDAP vendor, delete all of its attributes. You can also delete one or more attributes.

You can create a shell file with a list of commands, where each command configures a different attribute.

Syntax

The add_or_update action:

  • Creates the specified vendor if it does not exist and adds the specified attribute.
  • Creates the specified attribute for an existing vendor.

  • Updates a value for an existing vendor.

    kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r set_ldap_configuration -v '<vendor_name>' -a 'add_or_update' --attr_objective '<attr_objective>' --attr_name '<attr_name>' --attr_type '<attr_type>'
    kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r set_ldap_configuration -v '<vendor_name>' -a 'add_or_update' --attr_objective '<attr_objective>' --attr_name '<attr_name>' --attr_type '<attr_type>'

Supported Arguments

Argument

Description

--action add_or_update

--action delete

add_or_update: Adds a new value or updates an existing value

delete: Deletes an existing value

--vendor '<vendor_name>'

The vendor name that appears in SecureTrack: Settings > Configuration > External Authentication > LDAP Authentication > Server Type

--attr_objective
'<attr_objective>'

An attribute from the list of LDAP server attributes

--attr_name '<attr_name>'

Name of the LDAP vendor field that corresponds to the attr_objective.

--attr_type '<attr_type>'

Supported attribute types:

  • string
  • binary

Sample Code

For the Active Directory vendor, update the mail attribute name to the string "mail":

kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r set_ldap_configuration -v 'Active Directory' -a 'add_or_update' --attr_objective 'mailAttributeName' --attr_name 'mail' --attr_type 'string'
kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r set_ldap_configuration -v 'Active Directory' -a 'add_or_update' --attr_objective 'mailAttributeName' --attr_name 'mail' --attr_type 'string'

Retrieve LDAP Vendor Configuration

The get_ldap_vendor_configuration command retrieves the configuration for all available LDAP vendors or for the specified LDAP vendor.

Syntax

kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r get_ldap_configuration [-v '<vendor_name>']
kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r get_ldap_configuration [-v '<vendor_name>']

Supported Arguments

Argument

 Description
--vendor '<vendor_name>' (Optional) Returns the configuration details for the specified vendor.

Sample Code

Returns the configuration for all LDAP vendors:

kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r get_ldap_configuration
kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r get_ldap_configuration

Returns the configuration for Active Directory: 

kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r get_ldap_configuration -v 'Active Directory'
kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r get_ldap_configuration -v 'Active Directory'

Delete LDAP Vendor

The configure_ldap_vendor_configuration script (located in /opt/tufin/securitysuite/scripts/) is used to delete the LDAP vendor attributes. You can delete specific vendor attributes. To remove a specific vendor, remove all the attributes for that vendor.

Before you can access the scripts or any other files in this location, you must run the command kubectl exec -it deployment/device-collector -c device-collector -- bash .

Syntax

The delete action removes the attribute value.

configure_ldap_vendor_configuration.sh --action delete --vendor '<vendor_name>' --attr_objective '<attr_objective>'

Supported Arguments

Argument

Description

--action delete

delete: Deletes an existing value

--vendor '<vendor_name>'

The vendor name that appears in SecureTrack: Settings > Configuration > External Authentication > LDAP Authentication > Server Type

--attr_objective
'<attr_objective>'

An attribute from the list of LDAP server attributes

Sample Code

For the Active Directory vendor, deletes the "mail" attribute:

configure_ldap_vendor_configuration.sh --action delete --vendor 'Active Directory' --attr_objective 'mail'