Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

Azure Resources

Allowing AD Users to Manage Azure Vaults

search

Please Note:

Allowing AD Users to Manage Azure Vaults

This section describes how to allow AD users to manage Azure vaults using CCKM. Change the sample values according to your requirements.

Note

This feature works in the root domain only.

  1. Create an LDAP connection (for example, ldapcon) on the CipherTrust Manager.

    curl -k '<IP>/v1/usermgmt/connections' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "name": "ldapcon",\n "strategy": "ldap",\n "options": {\n "server_url": "ldap://<ldap-server-ip>",\n "root_dn": "dc=calculate",\n "uid_field": "uid",\n "user_dn_field": "dn",\n "bind_dn": "cn=ldapadmin,dc=calculate",\n "bind_password": "<password>",\n "group_base_dn": "dc=calculate",\n "group_member_field": "memberUid",\n "group_id_field": "cn",\n "group_filter": "objectClass=posixGroup",\n "guid_field":   "uid"\n }\n}

    Here, server_url is the URL of the LDAP server.

  2. Create a local group (for example, localgroup) on the CipherTrust Manager.

    curl -k '<IP>/v1/usermgmt/groups' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "name": "localgroup"\n }' --compressed

  3. Map the LDAP group on LDAP server (for example, ldapgroup) to the newly created localgroup.

    curl -k '<IP>/v1/usermgmt/groupmaps' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "connection_name": "ldapcon",\n "connection_group_name": "ldapgroup",\n "group_name": "localgroup"\n }' --compressed

  4. Map the LDAP group on LDAP server (for example, ldapgroup) to the "CCKM Users" group.

    curl -k '<IP>/v1/usermgmt/groupmaps' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' -H 'accept: application/json' --data-binary $'{\n "connection_name": "ldapcon",\n "connection_group_name": "ldapgroup",\n "group_name": "CCKM Users"\n }' --compressed

  5. Add an Azure connection. Refer to Microsoft Azure for details on required fields.

  6. Add an Azure vault. Refer to Adding Existing Vaults for details.

  7. Assign the localgroup to this vault.

  8. Log on to the Ciphertrust Manager using ldapgroup over the LDAP connection, ldapcon.

    username: ldapcon/<ldap-user-name>
password: <ldap-user-login-password>

The newly added Azure vault should be visible.