How to add a directory service

You can add LDAP or Google as directory services in the Centrify Admin Portal. If you have the same username in multiple directory services, you can set the lookup order so your preferred directory service is searched first.

Refer to the following procedures for details.

LDAP communicates with the Centrify Connector over TLS/SSL on port 636. As part of the client/server handshake between the connector and the LDAP server, the LDAP server must present the connector with an X.509 certificate. To establish a trust relationship between the connector and the LDAP server, you must install the CA certificate that issued the LDAP server’s Server Authentication certificate on the machine running the Centrify Connector (specifically, the Local Computer Trusted Root Certification Authorities certificate store).

Your LDAP servers must meet the following minimum requirements before you add LDAP as a directory service.

  • The server must support reading of the server's Root DSE (RFC 4512, section 5.1), and the Root DSE attributes must indicate that the server supports the LDAPv3 protocol.

    As LDAPv2 was retired in 2003, most current servers will meet this requirement; however, any server that fails to meet these requirements is not supported.

  • A per-entry attribute that can be used as a server-scope unique identifier is required.

    This attribute should be invariant, i.e. it should never change for the lifetime of the entry. This will default to the DN, but if the DN is liable to change in your installation you can specify a different attribute. In this case an operational attribute such as entryUuid is preferred. If your LDAP server/schema lacks this operational attribute then you can try using a "unique" structural attribute as an alternative, but Centrify does not recommend or support this.

    In either case, if the attribute ever changes then the user/group that it represents will be seen as a different user/group, resulting in orphaned users, "lost" OATH tokens, and deleted app settings and assignments. It is extremely important that care be taken to select an appropriate attribute. Information about best practices for selecting an attribute for this purpose can be found here.

    Note:   The selected attribute may not be changed after the configuration is created.

  • An attribute containing the user's login name must exist and must be able to be queried to obtain the entity's DN, and a simple bind using that DN and a provided credential must be able to be successfully completed.

  • The server must support the Modify Password Extended Operation for password reset/change to work as expected.

Centrify's LDAP support is flexible enough that some servers not meeting the minimal requirements could be configured successfully, but Centrify does not recommend or support servers that do not meet the minimal requirements.

Note:   To use the Group DN feature, your connector must be using version 21.2 or greater.

To add LDAP for the connector

  1. Log in to Admin Portal as a system administrator.
  2. Click Settings > Users > Directory Service > Add LDAP Directory.
  3. In the Settings tab, provide the required information.
    You can optionally set the Group DN to specify an alternate DN just for groups.

    Note:   When not set, the Base DN is used for both users and groups.

  4. Click the Mappings tab to map your LDAP instance. See Configuring LDAP Directory Service for details on how to map your LDAP instance.
    • For group searches, the mapping will apply the keyword search to the group name and user's display name.
    • For user searches, the mapping will apply the keyword to the user's display name, first name, last name, email, and login name.
  5. Click Connectors and select the Centrify Connector to use with this service or let the LDAP server find an available cloud connector.
  6. Click Save.

For additional information on configuring an LDAP service, see Configuring LDAP Directory Service for details.

If you are using G Suite to store and manage your user information, you can configure Privileged Access Service to recognize it as a directory service. Users can then use their Google account details to log in to Admin Portal.

To add G Suite as a directory service

  1. Log in to Admin Portal as a system administrator.
  2. Click Settings > Users > Directory Service > Add Google Directory.
  3. Click Authorize and enter your G Suite administrator credentials.
  4. (Optional) Click Add to enter a redirect URI if you want your users to use a more recognizable URI that is specific to your organization.
  5. Click Save.

Repeat the above procedure to add another Google directory.

Note:   If you use Google directory for managing your users, then do not deploy the G Suite SAML application to those same users. If you do, those users will not be able to authenticate into both Google and Privileged Access Service because they will be redirected back and forth between Google directory and Privileged Access Service.

If you have the same username in multiple directory services, you can set the lookup order so your preferred directory service is searched first. For example, you might want LDAP to be searched before AD. Directory services are listed in the order of lookup. You can change the list order to your preferred lookup order.

Note:   Centrify Directory is always listed first, and Federated Directory is always listed last. You can only change the order of AD, LDAP, and Google.

To change the directory lookup order

  1. Click Change Lookup Order.

  2. Drag and drop the listed directory services until they are in the preferred order.

    Directories listed on top are searched first

  3. Click Save Lookup Order.