LDAP-Radius - Trustelem Connect

Contents

How does it work?

The goal is to use Trustelem database to provision and or authenticate users on an application using LDAP or Radius.
To do so, a connector, Trustelem Connect, is installed on a local customer server and has the role of LDAP server / Radius server. When it receives a request (LDAP search, LDAP bind, Radius Access request, Radius Challenge request) then it sends the request to Trustelem.

schema-tlm-connect.png

1/ During the setup, Trustelem Connect opens a websocket to Trustelem services using port 443.
Note: with the websocket, information is encrypted by TLS protocol and with an additional symmetric encryption.
Trustelem Connect also opens on the local machine, TCP or UDP ports on a specified local IP, based on the Trustelem setup.
One opened port matches one protocol for one application on Trustelem
For instance, I made the setup of Trustelem Connect, linked a Bastion application, and choose to use the port 5214 on the IP IP-Server2 for the protocol LDAP

portLDAP-RADIUS.png

2/ The application makes a search/authenticate request and sends it to Trustelem Connect on the defined port using LDAP or Radius.
With the previous example, the protocol is LDAP, the IP of the LDAP server is IP-Server2, the port is 5214

3/ Trustelem Connect uses the websocket to send the request to Trustelem services:

4/ As said before, on Trustelem the port is associated to a specific protocol and application.
Trustelem examines the access rules related to these protocol and application, and returns the answer to Trustelem Connect using the websocket.

With the previous example:

5/ Trustelem Connect forwards the answer to the application using LDAP or Radius.

Prerequisites

Setup TrustelemConnect on a Windows machine

In your Trustelem administration page:

create_service.png

On your server:

setup_ldap.png

tls_cert = "C:\Program Files (x86)\Trustelem\connector.crt"
tls_cert_key = "C:\Program Files (x86)\Trustelem\connector.key"

In your Trustelem administration page

setup2_ldap.png

You now have a functional connector.

Setup Trustelem Connect on a Linux machine

In your Trustelem administration page:

create_service.png

On your server:

service_id = 2jy34wpcohrhdytr6hutym6qfi2l7nnw
state_dir = run/
# if there is a proxy
proxy = https://username:password@proxy_IP:proxy_port
tls_cert = run/connector.crt
tls_cert_key = run/connector.key

In your Trustelem administration page

setup2_ldap.png

You now have a functional connector.

Setup an application to use Trustelem Connect

Note: for WALLIX Bastion and WALLIX Access Manager, you should watch the dedicated documentation instead of this chapter.

On your Trustelem administration page:

ldap-app.png

setup3_ldap.png

Trustelem is now ready to reply to applications sending requests to TrustelemConnect with the correct port and IP.

Of course, you need to create the access rules to defined which users can use the application
https://trustelem-doc.wallix.com/books/trustelem-administration/page/access-rules

On your your application setup:

Add a LDAP and/or Radius setup, based on the information provided by Trustelem:

With the example used in the first chapter, the setup is:

setup5_ldap.png

Debug

The connector doesn't appear in the setup page on the admin page

The LDAP or Radius authentication is no working


Revision #10
Created 1 July 2022 08:22:01 by WALLIX Admin
Updated 18 June 2024 07:30:08 by WALLIX Admin