LDAP Connector

This section details how to configure an LDAP Connector.

Required By

LDAP Trigger

Prerequisites

On the LDAP side, it is required to create a technical user with permissions to write in the LDAP sub DN, so that Horizon will be able to search by email, to publish and to unpublish certificates using that technical user. The following information will be required later:

  • LDAP Hostname

  • a login DN

  • a password

  • Base DN to publish SMIME certificates

How to configure LDAP Connector

1. Log in to Horizon Administration Interface.

2. Access LDAP Connector from the drawer or card: Third Parties  LDAP  Connectors.

3. Click on Add Connector.

4. Fill the mandatory fields.

Connection

  • Name* (string input):
    Enter a meaningful connector name. It must be unique for each connector. Horizon uses the name to identify the connector.

  • Hostname* (string input):
    Enter the URL pointing to LDAP.

  • LDAP Credentials* (select):
    Select Login credentials containing the technical user created for Horizon login DN and password.

  • Base DN* (string input):
    Enter the Base DN where Horizon should publish the certificate.

  • Max stored certificates per holder* (int):
    When specified, define a maximum number of certificates stored in the third party.

  • Port (int):
    Enter the port where to reach the running LDAP instance (default values are 389 for LDAP and 636 for LDAPS).

  • Proxy (string select):
    The HTTP/HTTPS proxy used to reach LDAP, if any.

  • Timeout (finite duration):
    Set by default at 10 seconds. Must be a valid finite duration.

Assets identification and management

  • Filter (string input):
    Enter the custom filter. By default, LDAP Identities are filtered by (objectclass=user). If you are using inetOrgPerson as type, you will have to manually set the following filter: (objectclass=inetOrgPerson).

  • Target LDAP publication attribute (string input):
    When specified, the certificate will be published on the specified attribute. In most LDAP applications you will have to set the field to: userCertificate;binary but in MSAD the field is already well managed.

  • Target LDAP user identifier attribute (string select):
    The LDAP attribute that will be used to identify a user for publication.

  • Follow referrals (boolean):
    Allow publication to follow LDAP referrals.

  • Create LDAP entry (boolean):
    If true, an LDAP entry will be created for this certificate if no entry matching the filter and the identifier attribute are detected. This entry will have its objectClass set to the filter value.

Actors and renewal management

These configuration elements mainly define the number of authorized interactions with the remote service on a defined period. For example, one needs to ensure that the remote service will not be contacted more than 5 times per 3 seconds. Throttle parallelism defines the number of times and Throttle duration the period of time. Therefore, on the above example, throttle parallelism would be set to 5 and throttle duration would be set to 3 seconds.

  • Throttle duration* (finite duration):
    Set by default to 3 seconds. Must be a valid finite duration.

  • Throttle parallelism* (int):
    Set by default to 3.

5. Click on the save button.

You can update Edit Connector or delete Delete Connector the LDAP Connector.

You won’t be able to delete a LDAP Connector if it is referenced in any other configuration element.