Would you like to learn how to configure the CyberArk LDAP authentication on Active directory? In this tutorial, we are going to show you how to authenticate CyberArk users using the Active directory database from Microsoft Windows and the LDAP protocol.

• CyberArk 11.1.0

CyberArk Related Tutorial:

On this page, we offer quick access to a list of tutorials related to CyberArk.

Tutorial - Windows Domain Controller Firewall

First, we need to create a Firewall rule on the Windows domain controller.

This firewall rule will allow the Cyberark server to query the Active directory database.

On the domain controller, open the application named Windows Firewall with Advanced Security

Create a new Inbound firewall rule.

zabbix active directory

Select the PORT option.

Select the TCP option.

Select the Specific local ports option.

Enter the TCP port 389.

zabbix windows firewall port ldap

Select the Allow the connection option.

zabbix windows firewall allow connection

Check the DOMAIN option.

Check the PRIVATE option.

Check the PUBLIC option.

Enter a description to the firewall rule.

windows firewall active directory

Congratulations, you have created the required firewall rule.

This rule will allow Cyberark to query the Active directory database.

Tutorial - Windows Domain Account Creation

Next, we need to create at least 2 accounts on the Active directory database.

The ADMIN account will be used to login on the Cyberark web interface.

The BIND account will be used to query the Active Directory database.

On the domain controller, open the application named: Active Directory Users and Computers

Create a new account inside the Users container.

Zabbix active directory account

Create a new account named: admin

Password configured to the ADMIN user: 123qwe..

This account will be used to authenticate as admin on the Cyberark web interface.

active directory admin accountzabbix active directory admin properties

Create a new account named: bind

Password configured to the BIND user: 123qwe..

This account will be used to query the passwords stored on the Active Directory database.

active directory bind accountzabbix active directory ldap bind properties

Congratulations, you have created the required Active Directory accounts.

Tutorial - Windows Domain Group Creation

Next, we need to create at least 4 group on the Active directory database.

On the domain controller, open the application named: Active Directory Users and Computers

Create a new group inside the Users container.

Radius Active directory group

Create a new group named: Cyberark Vault Admins

Members of this group will have the Admin permission on the Cyberark Vault using the web interface.

Cyberark Ldap Vault admins

Important! Add the admin user as a member of the Cyberark Vault Admins group.

Cyberark Vault admins members

Create a new group named: Cyberark Safe Managers

Cyberark Safe Managers

Create a new group named: Cyberark Auditors

Cyberark Auditors

Create a new group named: Cyberark Users

Cyberark Users

Congratulations, you have created the required Active Directory groups.

Tutorial CyberArk - LDAP Authentication on Active Directory

Open a browser software and access the Cyberark PVWA interface.

The Cyberark PVWA interface should be presented.

cyberark login

On the login screen, select the local authentication option.

cyberark login local

On the prompt screen, enter a Cyberark local administrator account.

After a successful login, you will be sent to the CybeArk Dashboard.

cyberark dashboard

On the bottom left, access the User provisioning tab and select the LDAP integration option.

cyberark ldap intergation menu

On the LDAP integration screen, click on the New domain button.

It will start a four step process to integrate a new LDAP domain.

First, enter the name of your LDAP domain and disable the SSL conection.

cyberark ldap configuration

Next, perform the following configuration.

• Bind User name - bind@tech.local
• Bind User Password - Password of the BIND user account
• Domain Base context = dc=tech,dc=local

You need to change the domain information to reflect your Network environment.

You need to change the bind credentials to reflect your Network environment.

cyberark ldap bind

Select the desired domain controller and click on the Connect button.

cyberark ldap authentication

On step 3 , you need to link the Cyberark roles to the desired Ldap groups.

• Vault Admins - Cyberark Vault Admins
• Safe Managers - Cyberark Safe Managers
• Auditors - Cyberark Auditors
• Users - Cyberark Users

cyberark ldap mapping

On the last step, take a look at the configuration summary and click on the Save Button.

In our example, we configured the Ldap server authentication on the Cyberark server.

Cyberark - Testing Active Directory Authentication

Open a browser software and access the Cyberark PVWA interface.

The Cyberark PVWA interface should be presented.

cyberark login

On the login screen, select the LDAP authentcication option.

cyberark login local

On the prompt screen, enter an Active directory account that is member of one of the following groups:

• Cyberark Vault Admins
• Cyberark Safe Managers
• Cyberark Auditors
• Cyberark Users

After a successful login, you will be sent to the CybeArk Dashboard.

cyberark dashboard

Congratulations! Your Cyberark LDAP server authentication on Active Directory was sucessfully configured.