Generic LDAP

Before You Start

Overview

In this article, you’ll learn how to integrate your LDAP with an Acreto Ecosystem. The described procedure is universal for all LDAP services and requires knowledge about connection details. If you search for a platform-specific guide, read articles about Active Directory - Azure or Active Directory - Windows Server.

In this article, we will use Okta as a free LDAP provider.

Prerequisites

To integrate Acreto with the LDAP provider, you will need the following:

  1. Active Acreto Ecosystem
  2. Connection detail to connect with LDAP provider service.

The Purpose of LDAP

An LDAP integration allows your Acreto Ecosystem to utilize the user credentials stored in your LDAP to connect to the Ecosystem using the Acreto TLS Client.

We recommended using the LDAPS version of the protocol to establish communication between the Acreto Ecosystem and the LDAP service. LDAPS is a secured protocol version; any modern LDAP service provider should support that.

Tip

Administrators integrate with an LDAP (Lightweight Directory Access Protocol) directory to streamline the user login process and to automate administrative tasks, such as creating users and assigning roles. An LDAP integration allows the system to use it’s existing LDAP server as the master source of user data.

Typically, LDAP integration is also part of a single sign-on implementation.

How Does it Work?

The integration uses the LDAP service account credentials to retrieve the user’s distinguished name (DN) from the LDAP server. Given the user’s DN value, the integration reconnects with LDAP using the user’s DN and password.

The diagram below shows the communication flow between some Employees (trying to connect to the Ecosystem using Acreto TLS Client), Acreto Ecosystem, and LDAP.

sequenceDiagram
    Employee->>Ecosystem: Here is my password.
    Ecosystem->>LDAP: Here is Employee's password.
    LDAP->>Ecosystem: Sure, let the Employee in!
    Ecosystem->>Employee: Welcome!
Info

The integration never stores LDAP passwords on the Ecosystem.

The integration uses a read-only connection that never writes to the LDAP. The integration only queries for information.

How To

Configuration of LDAP Provider

To configure your LDAP to work with Acreto, please:

  1. Log in to the LDAP user management dashboard to ensure that at last one user is added. Users in LDAP Users in LDAP
  2. Prepare the connection credentials:
    1. Base DN - text description of LDAP structure Base DN for Okta Base DN for Okta
    2. Binding User - username and password of the account used to authorize the connection between Acreto and LDAP

Configuration of Acreto Ecosystem

  1. Log in to New or Existing Ecosystem Login Login

  2. Create Security Policy Create a Security Policy that allows users to connect through your Identity Provider to reach all destinations.

    To simplify the initial configuration, we will create a policy that allows all traffic to be passed through the Ecosystem.

    Info

    It would be best to customize the Security Policy to fit your needs once the Identity Provider setup is complete. It should be configured to limit access to network resources for each group (Profile Group)

    Security Policy Security Policy

  3. Add New Identity Provider

    To add a new Identity Provider, select Objects and Identity Providers from the left menu and click “Add New”.

    Add IdP Add IdP

  4. Fill the form with proper values:

    1. Name - descriptive name for this IdP
    2. Description - description of the IdP
    3. Identity Provider Type - in the case of AD config, choose one of two options Basic configuration Basic configuration
    4. Host - domain or IP address of your AD server
    5. Port - 636
    6. Username - user name used to connect
    7. Password - password for the user account
    8. User Base DN - for Okta LDAP use ou=users, dc=ACCOUNT-ID, dc=okta, dc=com. Connection details Connection details
Tip

Base DN and other values may be specific to your custom configuration. Check proper configuration in the LDAP provider knowledge base.

  1. Save and commit your changes.

To allow users, employees, or team members VPN users to authenticate in Acreto Connect Client using LDAP credentials, Acreto offers unique and individual URLs for every Ecosystem portal called Onboarding Portal.

  1. To access the unique URL to that portal, please click on Edit next to the previously added IdP and scroll down.

    Onboarding Portal Onboarding Portal

  2. Then, click on the icon to copy the URL.

    Onboarding Portal Onboarding Portal

  3. Now, provide the generated link to your users.

End User Experience

When the End User or Employee opens the Onboarding Portal, the Welcome Page will be presented.

The Ecosystem Admin should share this URL with the End Users, ask them to open it, and follow the instructions.

Onboarding screenshot 1 Onboarding screenshot 1

Onboarding screenshot 2 Onboarding screenshot 2

Summary

Thanks to Acreto and LDAP providers, users can connect to an Acreto Ecosystem with the same credentials utilized for other internal resources on their network domain.

Also, Acreto Ecosystem Admin(s) can reuse any existing password and security policies that are already in place. For example, the LDAP provider may already have account lockout and password expiration policies.