LDAP Edit

To update the configuration of your LDAP integration, follow these steps:

  1. Click the Admin link in the app header.

  2. Click the LDAP link in the Administration panel.

  3. Click the “pencil” icon on one of the following panels:

Connection

You can edit the following properties of the integration from the Connection panel:

State

Toggle the State button to “Disabled” to prevent Pro Custodibus from attempting to connect to your LDAP server (including for user logins); or “Enabled” to allow Pro Custodibus to connect.

Host

Enter the IP address of your LDAP server in the Host field. This must be the IP address from the perspective of the connection set up with Pro Custodibus.

Port

Enter the port number on which your LDAP server is listening, usually 389 when not using TLS, or 636 when using TLS, in the Port field.

Timeout

Enter the number of milliseconds that Pro Custodibus should wait for a response from your LDAP server before aborting a connection, like 2000, in the Timeout field. Usually this should be set to no more than about 5 seconds, so that if your LDAP server is unavailable, users who are attempting to log in can be presented an error message before too much time elapses.

Poll Interval

Enter the number of minutes between which Pro Custodibus should poll your LDAP server to check for updates to hosts or users, like 10, in the Poll Interval field. Enter 0 to turn off polling.

Form Submit

Click the Update button to submit the form and apply your configuration changes.

Credentials

You can edit the following properties of the integration from the Credentials panel:

Login DN

Enter the DN of the LDAP account Pro Custodibus should use to connect to your LDAP server, like cn=procustodibus,ou=external,dc=example,dc=org, in the Login DN field. You may enter a value relative to the Base DN (like cn=procustodibus,ou=external if you configured the base DN to be dc=example,dc=org).

Login Password

Enter the corresponding password for the Login DN into the Login Password field.

Form Submit

Click the Update button to submit the form and apply your configuration changes.

Security

You can edit the following properties of the integration from the Security panel:

TLS

Toggle the TLS button to “Enabled” if you want Pro Custodibus to use TLS to connect to your LDAP server; or “Disabled” to not use TLS.

TLS CA

Paste your LDAP server’s CA (Certificate Authority) certificate PEM (the standard ASCII format for X.509 certificates, beginning with -----BEGIN CERTIFICATE----) into the TLS CA field, if you want Pro Custodibus to verify your LDAP server’s certificate when establishing a TLS connection to it. Paste in the full certificate chain (with each certificate in the chain concatenated by a newline, root at the bottom) if your server’s certificate is signed by an intermediate CA.

TLS Hostname

If you supplied the TLS CA certificate, enter the hostname used in the LDAP server’s own TLS certificate (via its “Subject” or “Subject Alternative Name” field), like ldap.example.org, in the TLS Hostname field.

Form Submit

Click the Update button to submit the form and apply your configuration changes.

Failover

You can edit the following properties of the integration from the Failover panel:

Failover Host

Enter the IP address of your secondary LDAP server into the Failover Host field, if you want Pro Custodibus to try it when the primary is unavailable. This must be the IP address from the perspective of the WireGuard connection set up with Pro Custodibus.

Failover TLS Hostname

If you supplied the TLS CA certificate, enter the hostname used in the secondary LDAP server’s own TLS certificate (via its “Subject” or “Subject Alternative Name” field), like ldap2.example.org, in the Failover TLS Hostname field, if different than the primary.

Failover Timeout

Enter the number of milliseconds that Pro Custodibus should wait for the primary before trying your secondary LDAP server, like 500, in the Failover Timeout field.

Form Submit

Click the Update button to submit the form and apply your configuration changes.

Queries

You can edit the following properties of the integration from the Queries panel:

Base DN

Enter the base DN to use to connect to and query your LDAP server, like dc=example,dc=org, in the Base DN field.

Admins Group DN

If you want to grant a group of LDAP users full admin privileges to Pro Custodibus, enter the DN of the group, like cn=admins,ou=groups,dc=example,dc=org, in the Admins Group DN field. You may enter a value relative to the Base DN (like cn=admins,ou=groups if you configured the base DN to be dc=example,dc=org).

Auditors Group DN

If you want to grant a group of LDAP users full auditor privileges with Pro Custodibus (ie read-only access to everything), enter the DN of the group, like cn=auditors,ou=groups,dc=example,dc=org, in the Auditors Group DN field. You may enter a value relative to the Base DN (like cn=auditors,ou=groups if you configured the base DN to be dc=example,dc=org).

Users Group DN

Enter the DN for the group on your LDAP server that contains all the regular users you want to synchronize with Pro Custodibus, like cn=everybody,ou=groups,dc=example,dc=org, in the Users Group DN field. You may enter a value relative to the Base DN (like cn=everybody,ou=groups if you configured the base DN to be dc=example,dc=org).

Form Submit

Click the Update button to submit the form and apply your configuration changes.

Attributes

You can edit the following properties of the integration from the User Attributes panel:

Member Of Attribute

Enter the name of the attribute that your LDAP server uses to reference groups from a member entity, like memberOf, in the Member Of Attribute field.

Display Name Attribute

Enter the name of the attribute that your LDAP server uses for a user’s display name, like cn, in the Display Name Attribute field.

Login Name Attribute

If you want users to be able to log into Pro Custodibus with their LDAP login name, enter the name of the attribute that your LDAP server uses for a user’s login name, like uid, in the Login Name Attribute field.

Email Attribute

If you want users to be able to log into Pro Custodibus with their LDAP email address, enter the name of the attribute that your LDAP server uses for a user’s email address, like mail, in the Email Attribute field.

User Account Control Attribute

Enter the name of the attribute that your LDAP server uses for a user’s account flags, like userAccountControl, in the User Account Control Attribute field, in order for Pro Custodibus to deactivate user accounts that have been marked as disabled in your LDAP system.

Form Submit

Click the Update button to submit the form and apply your configuration changes.

Networks

You can add groups of hosts or additional groups of WireGuard interfaces to the integration via the Device Networks panel. Click the “plus” icon to add a new group; or click the interface name for a group to edit it. On the resulting page, configure the following properties:

Name

Enter the name of the WireGuard interface that Pro Custodibus will create (or update) on each host in the group, like wg0, in the Name field. While this name doesn’t have to be unique among configured networks, make sure it is unique among all other network interfaces on all of the hosts in the group.

As this name will be used on each host to identify the WireGuard interface, it must be less than 16 characters, and must consist of only ASCII letters, numbers, dot (“.”), dash (“-”), and lodash (“_”) characters.

Description

Enter a short description of the network for your own reference, like “VPN access for remote users”, in the Description field.

Group DN

Enter the DN for the group on your LDAP server that contains the hosts or interfaces to be used for this network, like cn=WireGuardHosts,ou=hosts,dc=example,dc=org, in the Group DN field. You may enter a value relative to the Base DN (like cn=WireGuardHosts,ou=hosts if you configured the base DN to be dc=example,dc=org).

Pro Custodibus will automatically generate a host record and WireGuard interface in its own database for each entity in the group. The Pro Custodibus agent will synchronize interface settings from your LDAP store to each host where the agent is running. If you want to manage more than one WireGuard interface on some hosts, do the following:

  1. Define a separate entity in your LDAP store for each additional interface.

  2. Connect each interface entity to its host entity via an Owner Attribute on the interface.

  3. Define one or more LDAP groups for the additional interfaces, and add each interface entity to at least one of these groups.

  4. Add a device network in Pro Custodibus for each group from the previous step.

Display Name Attribute

Enter the name of the attribute that your LDAP server uses for the display name of the members in this group, like cn, in the Display Name Attribute field.

Owner Attribute

Enter the name of the attribute that your LDAP server uses to indicate the owner of each group member, like owner, in the Owner Attribute field. The owner value of a host should be the DN of the user who has the authority to update WireGuard interfaces on the host (if the host has multiple such users, each individual user should be specified as an owner). If no users have this authority (or if all are also Pro Custodibus admins), the host need not have an owner.

The owner value of an interface should be the DN of the host entity.

Private Key Attribute

Enter the name of the attribute that your LDAP server uses to store the private key of each WireGuard interface, like x-wg-privateKey, in the Private Key Attribute field. In order for Pro Custodibus to manage an interface for a host, either this or the Public Key Attribute must be specified.

Public Key Attribute

Enter the name of the attribute that your LDAP server uses to store the public key of each WireGuard interface, like x-wg-publicKey, in the Public Key Attribute field. In order for Pro Custodibus to manage an interface for a host, either this or the Private Key Attribute must be specified.

Address Attribute

Enter the name of the attribute that your LDAP server uses to store the IP address of each WireGuard interface, like ipHostNumber, in the Address Attribute field. Each WireGuard interface in a WireGuard network should have a unique IP address (and it should be different than the interface’s host uses for any of its other network interfaces).

Port Attribute

Enter the name of the attribute that your LDAP server uses to store the listen port of each WireGuard interface, like x-wg-port, in the Port Attribute field. If no port is specified for an interface, WireGuard will select an ephemeral port on the host to listen on at random each time it starts up.

Endpoint Attribute

Enter the name of the attribute that your LDAP server uses to store the endpoint address and port that other peers of each interface will use to connect to it, like x-wg-endpoint, in the Endpoint Attribute field.

For example, for a central VPN hub to which other hosts connect remotely over the Internet on UDP port 51820, the value of this endpoint attribute might be vpn.example.org:51820. The value of this endpoint attribute for the other hosts that connect to the central hub could be blank (if no other hosts in the WireGuard network need to initiate connections to them).

Routes Attribute

Enter the name of the attribute that your LDAP server uses to store the routes that each interface provides to the peers that connect to it, like x-wg-routes, in the Routes Attribute field.

For example, for a central VPN hub to which other hosts connect remotely, this routes attribute might have two values: 10.0.0.0/24 and 192.168.1.0/24, allowing the hub’s WireGuard peers to connect to other peers through it, as well as to the hub’s LAN. The value of this routes attribute on the other hosts that connect to the central hub could just be each host’s own WireGuard address (or blank).

If blank, Pro Custodibus will use the WireGuard interface’s own address as the sole route provided to peers of the interface. If the interface’s own address includes a netmask (like 10.0.0.123/24), Pro Custodibus will use the full network specified by the netmask (like 10.0.0.0/24 for an address of 10.0.0.123/24) as the route provided to the interface’s peers.

Peers Attribute

Enter the name of the attribute your LDAP server uses to store the peers of each interface, like x-wg-peersOf, in the Peers Attribute field. Peers only need to be specified on one side of each connection.

If a peer is represented as a host or interface entity in your LDAP store, specify the host or interface’s DN as the value for this field. If a peer is not represented in your LDAP store, you may specify its public key instead. Use multiple values for this attribute to represent multiple peers.

Form Submit

Click the Add or Update button to submit the form and apply your configuration changes. Click the “trashcan” icon to delete the network definition.

Next Steps

Check the polling status.