Administrator Guide
      Back to home
      1. Help Center
      2. Location Identity Platform
      3. Administrator Guide

      Plugin

      Overview 

      LDAP Proxy Plugin 

      Download 


      The Ironchip LDAP Proxy service can be found in the Plugins section of Ironchip’s Location Based Authentication administration dashboard.

      Installation 


      To install the LDAP Proxy, follow these steps:

      • Move the downloaded executable file to a system folder suitable for running services.

      • Call the executable with the “configuration flag”, in order to generate the default configuration file:

        ldap-windows.exe configuration

      • Once the configuration file has been set up (follow the configuration section), install the service as follows:

        ldap-windows.exe service install

      • Once installed, the service can be started:

        ldap-windows.exe service start

      Configuration 


      The configuration file can be modified at any time, in order for the changes to apply, restart the service:

      ldap-windows.exe service restart

      The configuration file has the following configurable properties:

      • Path: The configuration path, defaulting to the /.json
      • LDAP:
        • server_address: the FQDN of the LDAP domain controller.
        • server_port: the port of the LDAP domain controller.
        • protected_group: the group name that is protected using Ironchip LBAuth.
        • network: the communication scheme used by the client, currently only “tcp” is supported.
        • base_dn: the base DN for the Proxy to be attached to.
      • Proxy:
        • server_address: the address in which the proxy will be serving.
        • server_port: the port in which the proxy will be providing service.
        • network: the communication scheme used by the proxy, currently only “tcp” is supported.
      • Ironchip:
        • ironchip_api_key: the API key generated for the Ironchip Service associated.
        • ironchip_host: the direction in which your assigned Ironchip environment is running, usually: “https://api.ironchip.com”

      An example configuration file:

      {
          "ldap": {
              "dirección_servidor": "localhost",
              "server_port": 389,
              "tls_enable": false,
              "key_file": "",
              "cert_file": "",
              "time_out_seconds": 5,
              "red": "tcp",
              "base_dn": ""
          },
          "proxy": {
              "server_address": "0.0.0.0",
              "server_port": 4389,
              "tls_enable": false,
              "key_file": "",
              "cert_file": "",
              "protected_group": "",
              "time_out_seconds": 5,
              "network": "tcp"
          },
          "ironchip": {
              "ironchip_api_key": "",
              "ironchip_host": "<https://api.ironchip.com>"
          }
      }

      Monitoring 


      The running Ironchip LDAP Proxy register it’s events in the windows event viewer, it is registered as “Ironchip LDAP Proxy”.

      Uninstalling 


      In order to uninstall the service, use this command:

      ldap-windows.exe service uninstall

      User synchronization 

      User synchronization 


      In order to synchronize the users between the LDAP and Ironchip LBAuth, the proxy provides a tool, execute:

      ldap-windows.exe sync-users -ldap-user <user-used-for-bind> -ironchip-user <ironchip admin with access to the dashboard>

      Once the import has been completed, all the users have been created in Ironchip.

      User group synchronization 

      To synchronize the users belonging to a group, the sync-users command can be configured as follows:

      ldap-windows.exe sync-users -ldap-user <user-used-for-bind> -ironchip-user <ironchip admin with access to the dashboard> --ldap-search-filter "(&(objectClass=person)(memberOf=<group full DN>))"

      as an example if the user is in the “VPNAuthorized” group with a DN of “CN=VPNAuthorized,DC=ironchip,DC=com” then the command would be:

      ldap-windows.exe sync-users -ldap-user <user-used-for-bind> -ironchip-user <ironchip admin with access to the dashboard> --ldap-search-filter "(&(objectClass=person)(memberOf=CN=VPNAuthorized,DC=ironchip,DC=com))"

      Note also that the sync-users command also provides a “–ldap-search-dn” flag that by default points to the DN configured in the configuration file but can be overwritten by setting this flag appropriately.

      Protected groups 

      Protected groups generation 


      In order to generate a protected group, just create a new group by right-clicking on the domain controller and then selecting New →Group:

      newGroup

      Create the group with an specific name:

      createGroup

      The selected group name must match exactly with the “protected_group” configuration property in the LDAP Proxy configuration, check configuration section.

      Once created, in order to add a user to a group, right click the user, and select Add to a group…

      addUserGroup

      Then, select the group names to select:

      selectGroup

      And click Ok. The user is now protected with Ironchip.