On This Page
Working with LDAP Vendors
Create Custom LDAP Vendors
If you use an LDAP server that is not natively supported in Tufin Orchestration Suite (TOS), you can create your own custom LDAP for:
-
External authentication of SecureTrack users
-
External authentication of SecureChange users
-
LDAP of user groups for User Identity (available only with an Active Directory LDAP server)
When you create a custom LDAP, add the required attributes described in the LDAP Server Attributes list.
LDAP servers must support LDAPv3 protocol.
Configure LDAP Vendor Attributes
The configure_ldap_vendor_configuration script is used to configure the LDAP vendor attributes.
You can:
- Create a new vendor and add the relevant attributes.
- Customize the attributes for an existing LDAP vendor.
You can create a shell file with a list of commands, where each command configures a different attribute.
Syntax
The add_or_update action:
- Creates the specified vendor if it does not exist and adds the specified attribute.
- Creates the specified attribute for an existing vendor.
-
Updates a value for an existing vendor.
kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r set_ldap_configuration -v '<vendor_name>' -a 'add_or_update' --attr_objective '<attr_objective>' --attr_name '<attr_name>' --attr_type '<attr_type>'kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r set_ldap_configuration -v '<vendor_name>' -a 'add_or_update' --attr_objective '<attr_objective>' --attr_name '<attr_name>' --attr_type '<attr_type>'
Supported Arguments
|
Argument |
Description |
|---|---|
|
|
|
|
|
The vendor name that appears in SecureTrack: Settings > Configuration > External Authentication > LDAP Authentication > Server Type |
|
|
An attribute from the list of LDAP server attributes |
|
|
The name of the LDAP server field that corresponds to the attr_objective |
|
|
Supported attribute types:
|
Sample Code
For the Active Directory vendor, update the mail attribute name to the string "mail":
kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r set_ldap_configuration -v 'Active Directory' -a 'add_or_update' --attr_objective 'mailAttributeName' --attr_name 'mail' --attr_type 'string'Retrieve LDAP Vendor Configuration
The get_ldap_vendor_configuration script retrieves the configuration for all available LDAPs or for the specified LDAP.
Syntax
kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r get_ldap_configuration [-v '<vendor_name>']Supported Arguments
|
Argument |
Description |
|---|---|
--vendor '<vendor_name>'
|
(Optional) Returns the configuration details for the specified vendor |
Sample Code
Returns the configuration for all LDAP vendors:
kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r get_ldap_configurationReturns the configuration for Active Directory:
kubectl exec -it deploy/keycloak-service -c keycloak-service -- manage_keycloak -r get_ldap_configuration -v 'Active Directory'Delete LDAP Vendor
The configure_ldap_vendor_configuration script (located in /opt/tufin/securitysuite/scripts/) is used to delete the LDAP vendor attributes. You can delete specific vendor attributes. To remove a specific vendor, remove all the attributes for that vendor.
Syntax
The delete action removes the attribute value.
configure_ldap_vendor_configuration.sh --action delete --vendor '<vendor_name>' --attr_objective '<attr_objective>'
Supported Arguments
|
Argument |
Description |
|---|---|
|
|
|
|
|
The vendor name that appears in SecureTrack: Settings > Configuration > External Authentication > LDAP Authentication > Server Type |
|
|
An attribute from the list of LDAP server attributes |
Sample Code
For the Active Directory vendor, deletes the "mail" attribute:
configure_ldap_vendor_configuration.sh --action delete --vendor 'Active Directory' --attr_objective 'mail'
