Conjur-LDAP Integration

I am trying to integrate Conjur with LDAP as per CyberArk provided document (Link)

As per Step 4: Add groups into the LDAP authentication group, when i am trying to load policy, I am getting below mentioned error

  • !grant
    role: !group my-ldap-server/clients
    member: !group /all-ldap-users

ERROR: Failed to execute command. Reason: 404 (404 (Not Found) for url: https://conjur-cluster.acme.corp/policies/acme/policy/conjur%2Fauthn-ldap. Error: {“error”:{“code”:“not_found”,“message”:“Group ‘all-ldap-users’ not found in account ‘acme’”,“target”:“group”,“details”:{“code”:“not_found”,“target”:“id”,“message”:“acme:group:all-ldap-users”}}}) for url:

I couldn’t find reference of !group /all-ldap-users in the document elsewhere. Could anyone please explain how it is mapped to LDAP groups, and the resolution for the error. Thanks in advance!

Hi @Harman,

The group name “all-ldap-users” is simply a placeholder for any group or individual users you want to provide access to the LDAP authenticator. To quote the documentation a little lower down:

Change the group name to your aggregated group name for LDAP users. You could alternatively choose to add multiple member statements to include additional groups.

Please let us know if this helps.

1 Like

Hi, thanks for your response!
These are the steps are followed:
I tried creating a user in my AD- testuser@demo.lab and created the same user under root in Conjur and loaded the policy

  • !grant
    role: !group my-ldap-server/clients
    member: !user /testuser@demo.lab
    After doing necessary configurations, I am getting the below error in audit.json:
    user:testuser@demo.lab failed to login with authenticator authn-ld ap service acme:webservice:conjur/authn-ldap/my-ldap-server: getaddrinfo: Name o r service not known
    Could you please assist with the same?

Hi @Harman,

I think the error message you’re getting might mean that Conjur can’t reach the LDAP server. Can you please post:

  1. The policy file you used to configure the LDAP authenticator
  2. Some information about your LDAP server and it’s network accessibility

This should help in troubleshooting.