LDAP

Introduction

This section details the LDAP integration with Horizon, used to publish and unpublish certificates on LDAP.

The integration will require to set up the following elements (on Horizon side):

  • an LDAP Connector, which holds the configuration items required by Horizon to connect to LDAP

  • an LDAP Trigger, which holds the configuration items specifying how Horizon should publish/unpublish certificates for the specified LDAP connector

Only SMIME Certificates can be published

LDAP Connector

This section details how to configure an LDAP Connector.

Required By

LDAP trigger

Prerequisites

On the LDAP side, it is required to create a technical user with permissions to write in the LDAP sub DN, so that Horizon will be able to search by email, to publish and to unpublish certificates using that technical user. The following information will be required later:

  • LDAP Hostname

  • a login DN

  • a password

  • Base DN to publish SMIME certificates

How to configure LDAP Connector

1. Log in to Horizon Administration Interface.

2. Access LDAP Connector from the drawer or card: Third Parties > LDAP > Connectors.

3. Click on Add Connector.

4. Fill the mandatory fields.

Connection

  • Name* (string input):
    Enter a meaningful connector name. It must be unique for each connector. Horizon uses the name to identify the connector.

  • Hostname* (string input):
    Enter the URL pointing to LDAP.

  • Login DN* (string input):
    Enter the DN technical user created for Horizon.

  • Password* (string input):
    Enter the password associated with the login.

  • Base DN* (string input):
    Enter the Base DN where Horizon should publish the certificate.

  • Max stored certificates per holder* (int):
    When specified, define a maximum number of certificates stored in the third party.

  • Port (int):
    Enter the port where to reach the running LDAP instance (default values are 389 for LDAP and 636 for LDAPS).

  • Proxy (string input):
    The HTTP/HTTPS proxy used to reach LDAP, if any.

  • Timeout (finite duration):
    Set by default at 10 seconds. Must be a valid finite duration.

Assets identification

  • Filter* (string input):
    Enter the custom filter. By default, LDAP Identities are filtered by (objectclass=user). If you are using inetOrgPerson as type, you will have to manually set the following filter: (objectclass=inetOrgPerson).

  • Target LDAP publication attribute (string input):
    When specified, the certificate will be published on the specified attribute. In most LDAP applications you will have to set the field to: "userCertificate;binary" but in MSAD the field is already well managed.

Actors management

These configuration elements mainly define the number of authorized interactions with the remote service on a defined period. For example, one needs to ensure that the remote service will not be contacted more than 5 times per 3 seconds. Throttle parallelism defines the number of times and Throttle duration the period of time. Therefore, on the above example, throttle parallelism would be set to 5 and throttle duration would be set to 3 seconds.

  • Throttle duration* (finite duration):
    Set by default to 3 seconds. Must be a valid finite duration.

  • Throttle parallelism* (int):
    Set by default to 3.

5. Click on the save button.

You can update Edit Connector or delete Delete Connector the LDAP Connector.

You won’t be able to delete a LDAP Connector if it is referenced in any other configuration element.

LDAP Triggers

Here is the section to manage the Triggers that will be used by profiles to publish or unpublish certificates into LDAP.

Prerequisites

LDAP Connector

How to configure LDAP trigger

1. Log in to Horizon Administration Interface.

2. Access LDAP triggers from the drawer or card: Third Parties > LDAP > Triggers.

3. Click on Add Connector.

4. Fill the mandatory fields.

  • Name* (string input):
    Enter a meaningful trigger name. It must be unique for each trigger. Horizon uses the name to identify the trigger.

  • LDAP Connector Certificate Publication* (select):
    Select an LDAP connector previously created.

  • Retries in case of error (int):
    Number of times to retry to push the change on the Intune PKCS repository in case of error. Must be an integer between 1 and 15.

5. Click on the save button.

You can run Execute Connector or update Edit Connector or delete Delete Connector the trigger.

Integration of the third party to the WebRA

When having configured the connector, it is possible to automate its elements' lifecycle using the WebRA.

Automation using triggers

Triggers are a functionality of WebRA that allows to push lifecycle events into a third party whenever they occur on a WebRA profile.

1. Refer to the trigger documentation to create a trigger.

2. Create or modify the WebRA profile you wish to use the triggers on.

3. Go to the Triggers tab, then on Certificate lifecycle triggers

4. Chose which lifecycle events you wish to use triggers upon (enrollment, revocation, expiration)

5. Select one or more existing triggers from the menu (if several are selected, they will all be called whenever the selected event occurs)

6. Click on the Save button.

From now on, whenever a selected lifecycle event will occur on the configured WebRA profile, the trigger will be called and the and the certificate will be pushed into or removed from the third party container.