For the latest version, please use Certificate Lifecycle Manager 6.1.0!

Integration with Active Directory

This page describes the process of integrating Certificate Lifecycle Manager with Active Directory.

Log in to Keycloak

  • Access your Keycloak instance using administrator account credentials.

Select the MTG-ERS Realm

  • From the top-left corner, select the MTG-ERS realm.

Access User Federation

  • Navigate to the left sidebar menu and select User Federation as shown below:

800

Enable the LDAP Provider

  • Click on the existing ldap - read-only mode LDAP provider.

  • Enable it by clicking the Enabled button in the top-right corner, as shown below:

800

Configure LDAP Settings

  • Configure the fields with the appropriate information corresponding to your Active Directory.

  • Navigate to the Connection and Authentication Settings section.

Set Connection URL

  • Enter the LDAP server’s connection URL, including the port number. For example:

ldaps://ad.example.com:636

Test the Connection

In order to make sure that the connection test will work, you need to ensure that keycloak has the root CA of the LDAP server’s (Active Directory) chain in its trusted certificates.

  • Click Test Connection to verify that the connection is successful.

800

Configure Bind Type, DN, and Credentials

  • Set the following fields to enable authentication testing:

  • Bind Type: simple

  • Bind DN: Retrieve this value from Active Directory (see below).

  • Bind Credentials: Use the Active Directory admin password.

Retrieve Bind DN from Active Directory

  • Open the Active Directory Users and Computers tool.

  • Navigate to the ad.example.com domain dropdown.

  • Create a dedicated group for the users you wish to bind with CLM (if not already created).

  • Select a user from this group, go to Properties → Attribute Editor → distinguishedName, and copy the value.

  • Paste the copied value into the Bind DN field in Keycloak.

800

Test Authentication

  • Click Test Authentication to confirm that authentication is successful.

  • LDAP Search and Update Configuration

Proceed to the LDAP Searching and Updating section.

  • Keep the Edit Mode set to UNSYNCED.

  • Set the Users DN field to match the group of users you wish to import from Active Directory.

800
The Edit Mode option must always be set to UNSYNCED. UNSYNCED mode allows users to modify their profile information through MTG-CLM while maintaining integration with Active Directory. However, it’s important to note that changes made within MTG-CLM (or Keycloak) are stored in Keycloak and not synchronized back to Active Directory. While periodic synchronization from Active Directory to Keycloak will continue to work, any changes made in MTG-CLM may be overwritten during the next sync cycle. This may result in data discrepancies between the two systems. Make sure you are aware of this behavior and always monitor for potential inconsistencies between MTG-CLM and Active Directory user data.

Sync Users from Active Directory

  • Navigate to the Action dropdown in the top-right corner and select Sync all users.

400

Verification

  • Once the sync is complete, you can log in to the CLM application using any Active Directory user account that has been successfully synced with Keycloak.

Overview of Role Mapping

  • Keycloak groups can be mapped to Active Directory (AD) groups and vice versa.

  • Roles can be assigned to users and permissions can be granted to roles for better access control.

  • Preconfigured templates are available in the Mappers section for facilitating role mapping between AD and Keycloak.

Mapping Groups

  • To map an AD group to a Keycloak group, select Group Mappers. This allows you to synchronize an AD group of users with a corresponding Keycloak group.

800

Retrieve LDAP Group Distinguished Name (DN)

  • Open the Active Directory Users and Computers tool.

  • Navigate to the ad.example.com domain dropdown.

  • Select the group you wish to map, then go to Properties → Attribute Editor → distinguishedName.

  • Copy the value of the distinguishedName attribute.

Configure LDAP Groups in Keycloak

  • Paste the copied distinguished name into the LDAP Groups DN field in Keycloak.

800

Set Member-Of Attribute

  • Ensure the Member-Of LDAP Attribute is set to memberOf.

  • This ensures the mapping applies to all members of the specified group.

Save the Configuration

  • Click Save to confirm the changes.

  • A success message will appear in the top-right corner of the screen.

800

Sync LDAP Groups to Keycloak

  • Navigate to the Group Mappers section.

  • Click Action and then select Sync LDAP Groups to Keycloak.

800

Assign Roles to Groups

  • Navigate to the Groups section in Keycloak.

  • Select the group to which you want to assign a role.

  • Go to the Role Mapping tab.

Assign a Realm Role

  • Click Assign Role.

  • Select Filter by Realm Roles to display the available realm roles.

  • Choose a role, such as CLM_DEFAULT_REALM_ROLE_DEFAULT.

  • Click Assign to assign the selected role to the group

Completion

  • After assigning the realm role, all users in the mapped group will inherit the specified permissions and roles.

800