Skip to main content

LDAP-Radius

The goal is to use Trustelem database to provision/authenticate users on an application using LDAP or Radius.
To do so, a connector, TrustelemConnect, is installed on a server able to contact the application.

flowLDAP-RADIUS.png

1/ During the setup, TrustelemConnect opens a websocket to Trustelem services using port 443.
Note: with the websocket, information is encrypted by TLS protocol and with an additional symmetric encryption.

2/ The application asks about users to TrustelemConnect on a specific port (for example 5214) using LDAP or Radius.

3/ TrustelemConnect uses the websocket to send to Trustelem services:

  • the request

  • the IP (TrustelemConnect listen address) and port used by the application to contact TrustelemConnect (in our example IP-Server2 and port 5214)

4/ On Trustelem, the port is associated to a specific application. Trustelem returns to TrustelemConnect the users who have an access-rule for this app, using the websocket.

portLDAP-RADIUS.png

With the example, IP-Server2 is allowed for port 5214 so Trustelem returns the information about users who have an access-rule for the application Bastion.

5/ TrustelemConnect replies to the application using LDAP or Radius.

Setup TrustelemConnect

In your Trustelem administration page:

  • Go to the Services tab.
    https://admin-mydomain.trustelem.com/app#/services
    Note: if you don't have access to this feature, please contact WALLIX Trustelem support.

  • Click on the button + Create a service and copy the service ID.

create_service.png

On your server:

  • Download the latest version of Trustelem Connect, available at this URL:
    https://dl.trustelem.com/connect/

  • Start the setup, and paste your service ID in the setup (window or file).

  • If you want to use LDAPs, on the Trustelem folder, add a config.ini file and provide the following information :

tls_cert = "C:\Program Files (x86)\Trustelem\connector.crt"
tls_cert_key = "C:\Program Files (x86)\Trustelem\connector.key"
  • Start the service.

setup_ldap.png

In your administration page

  • Refresh your Services page.

  • Turn on the service by clicking on No.

setup2_ldap.png

You now have a functional connector.

Note: if you want to install the connector on a Linux machine, follow these steps

  • Download the tgz version, and install the connector as a service with the setup.sh script.
  • To complete the configuration, please complete /opt/wallix/trustelem-connect/config.ini file containing the synchronization id.
  • A sample minimal config.ini would be:
service_id = 2jy34wpcohrhdytr6hutym6qfi2l7nnw
state_dir = run/
  • The run folder must have read write rights for the trustelem user.
  • You can add your own X509 certificate for ldaps and starttls. Accepted format is PEM.
tls_cert = run/connector.crt
tls_cert_key = run/connector.key
  • After that, you can start the service with: systemctl start trustelem-connect.service
  • The service will run with the user trustelem

Setup Trustelem

In your Trustelem administration page:

  • Go to the Apps tab.

  • Click on + Add an application

  • Choose either a pre-integrated application or a generic model depending on your need.
    To use only LDAP / Radius the generic Basic no SSO model is enough.

  • Turn on LDAP and/or Radius.

ldap-app.png

  • Go back to the previously configured service and click on Add an application +

  • Click on LDAP and/or Radius, then enter the listen address and port
    Note: the listen address can be localhost, everything or a specific IP

setup3_ldap.png

  • Go to the Access Rules tab

  • Click + Create

  • Select your application, then enter the number of desired factors for LDAP and/or Radius authentications
    Note: internal and external zones are used for SAML, OpenID Connect or NoSSO access. They are not useful for only LDAP / Radius authentication.

setup4_ldap.png

Trustelem is now ready to reply to applications sending requests to TrustelemConnect with the correct port and IP.

Setup the application

In your application, setup LDAP and/or Radius from the information provided by Trustelem:

  • the port is defined in the Services tab
    https://admin-mydomain.trustelem.com/app#/services

  • the domain / user / password are provided in the setup of the application

    https://admin-mydomain.trustelem.com/app#/apps

With the initial example:

setup5_ldap.png