LDAP
Connect your LDAP server to use Opal to manage and review access.
Want to set up Opal to manage access to your LDAP server? We have you covered.
Opal's integration with LDAP supports the following, and more:
- Users can request time-bounded access to your LDAP groups.
- Auditors can initiate access reviews that assign managers or group admins to periodically review users with long-lived access to LDAP groups.
- Admins can add resources from other Opal integrations to an LDAP group so an LDAP group's members can automatically gain birthright access to, for example, a GitHub repo, AWS IAM role, etc.
- All access changes are tracked in a permanent audit log that can be logged to a Slack channel or exported to your favorite tools.
Getting Started
Create an LDAP App
To get started, go to the Catalog page, click + App at the top right. Then, click on the LDAP tile.
You will see a form to be completed. Opal requires the following credentials in order to manage access to your LDAP groups.
Step 1 - Configure an LDAP binder account for Opal
In order for Opal to manage your LDAP server on your behalf, we'll need you to create an LDAP service account for your server with proper permission scopes. In OpenLDAP, this is also known as a binder account.
Step 2 - Fill out Opal form
Back in the Create App form, fill in details about your LDAP server and binder account:
- Server hostname and Server port: the hostname and port of your LDAP server.
- Please ensure your LDAP hostname is reachable from the instance that is hosting the Opal app.
- Base distinguished name: the Distinguished Name (DN) of the OU that Opal should begin directory searches from.
- Root username and Root password: the credentials of the LDAP binder account that you created above.
- Group attribute unique identifier: the name of the attribute that your LDAP server uses to uniquely identity groups. (Often, this is entryUUID)
If this step is successful, you have completed setting up the LDAP server connection.
Updated 3 months ago