How can we help?

Configure LDAP Connection

Anthony - Versasec Support
Anthony - Versasec Support
  • Updated

Introduction

Before beginning this article, it is necessary that you have successfully completed the article Install and Configure vSEC:CMS on First Use

This article will describe the steps for configuring the use of an LDAP server when used as the user directory for provisioning smart card tokens issued in the vSEC:CMS. In this use case, we will show how you can configure the vSEC:CMS where the end user who the smart card token will be issued to will be provisioned from an LDAP directory. We will not issue a certificate in this use case.

Note
The smart card type that will be managed in this use case will be a generic mini-driver smart card token.

Step 1 - Configure Connection to LDAP

1. From Options - Connections click the Configure button and make sure that LDAP Server is in the Selected window.

2. Then from Options - Connections click LDAP Server to add template.

3. Enter a template name and enter the hostname for the LDAP along with the port, protocol and enable SSL/TLS if a secure connection is required. Click the Test Connection button to ensure that the system that the vSEC:CMS is running on is reachable. If simple authentication parameters are required enable this option and provide the necessary username and password to connect to the LDAP. Click Save button when complete.

Step 2 - Configure a Card Template

1. Navigate to Options - Smart Cards page. When the page is loaded attach the smart card token that is to be issued with the vSEC:CMS. The vSEC:CMS will filter the card type and present the smart card template available in the vSEC:CMS.

2. Select the entry and click Edit. For Smart Card Access ensure that Use minidriver if possible is selected and click Save.

3. From Templates - Card Templates click the Add button.

4. Click the Edit link for General.

5. Enter a template name and attach the smart card token that is to be issued and click the Detect button to allow the vSEC:CMS to detect the smart card token type that is to be used for this card template. Click Ok to close the dialog.

6. Allow all other default settings in the General dialog and click Ok to save the settings and close this dialog.

7. Click the Edit link for Issue Card.

8. Under the User ID Options enable the Assign user ID check box and click the Manage button.

9. Click the Add button.

10. Enter a template name and for Type select LDAP (Generic LDAP server). From LDAP server select the LDAP connection already configured above. Click the Add button.

11. Enter a name for the filter in Name field and either click the Get button to allow the vSEC:CMS to retrieve the base DNs available or it is possible to manually type and/or edit a base DN in the BaseDNs field. For example, if a base DN of 'DC=versatilesecurity,DC=com' was automatically retrieved when clicking the Get button and it is required to only allow an LDAP search to be made on a sub tree, for example sub tree 'OU=CMS Users', then you could manually enter this into the BaseDNs field as 'OU=CMS Users, DC=versatilesecurity,DC=com'. In the Filter field, it is possible to construct LDAP query filters. A filter specifies the conditions that must be met for a record to be included in the recordset (or collection) that results from a query.

The Variables section in this dialog can be used to build configurable search filters that can be entered into the field provided. This can only be used if you have multiple LDAPs where you need to search from one LDAP and use the result from this LDAP to search for values in a secondary LDAP. This is for very specific use case and would not normally be used.

12. Click Ok to save the settings and close the dialog.

13. For User detail(s) it is possible to enter a mapping from the attribute name to a friendly name that can be used to retrieve additional attribute details on the selected user. This additional information will then be displayed in dialogs where information about the issued card is shown. For example, if the attribute "cn" was to be translated into a friendlier name of "User Name" then enter cn=User Name. Click the Test button to test the mapping. You will need to select a user first by clicking the Get ID button.

14. Click the Edit button in the Variable(s) section.

For example, the variable name ${UserEmail} is associated with the directory attribute name mail. In the directory, the attribute name mail will contain the user's actual email address, if this attribute is set. Click Ok to save the association. Then from the ID Assign dialog it is possible to test this with an actual user. Click the Get ID button to search LDAP for a user. Select a user and click the Edit button in the Variable(s) section. Click the Test button. If the user has an email entry in the AD attribute you will see the information displayed.

15. Click Save to save the configuration.

16. Back in the Issue card main dialog select this newly created template from the drop-down list.

17. Leave all other settings as is and click Ok to save the configuration and close out.

Step 3 - Issue Smart Card

1. From the Lifecycle page attach the smart card token that is to be issued and click the Issued oval. Select the card template from the Select card template drop-down list and click the Execute button.

2. Enter the Operator token PIN (Passcode) code when prompted.

3. Enter the users name in the field provided and click the Get button to retrieve the user. Select the user and click Ok to continue.

4. When the issuance completes a message dialog indicating that an authentication key has been added to the vSEC:CMSwill appear followed by a short summary dialog with details on what operations have been performed.

The smart card token is now in an Issued state as can be seen from the process diagram. By default, the smart card PIN will be blocked so it will be necessary to unblock the smart card. Typically, the person who will use this smart card will set the PIN code on the smart card.

5. Click the Active oval and click the Execute button.

6. Enter the Operator token PIN (Passcode) code when prompted.

7. Enter the PIN code that will be set on the smart card token. Click Initiate to set the PIN code on the smart card and make it active.

8. A summary dialog will appear. Click Ok to close.

This completes the use case.