Integrate with OpenLDAP

Prisma Cloud can integrate with OpenLDAP, an open source implementation of the Lightweight Directory Access Protocol.
Integrating Prisma Cloud with OpenLDAP lets users access Prisma Cloud using their LDAP credentials, and lets admins define granular access control rules to Docker Engine or Kubernetes using existing LDAP identities.
With OpenLDAP integration, you can:
  • Re-use the identities and groups already set up in your OpenLDAP directory.
  • Extend your organization’s access control logic to the management of Docker containers.
For example, you could specify that only members of the group Dev Ops Admins can start and stop containers in the production environment. For more information, see the article for setting up role-based access control for Docker Engine.

Integrating OpenLDAP

This procedure shows you how to integrate OpenLDAP with Prisma Cloud.
  • You have installed OpenLDAP 2.4.44 or later. Prisma Cloud has been tested with version 2.4.44. Integration with older versions should work as well, but isn’t officially supported.
  1. In your LDAP directory, create a service account that has admin privileges and that can run ldapsearch queries.
    This admin account will be used by Prisma Cloud to authenticate users in your LDAP directory. It should be able to control the entire domain, and should therefore be created under the root OU.
  2. Verify that the service account can query your LDAP directory.
    Run ldapsearch, passing it the credentials for your service account, and query your directory for a user:
    $ ldapsearch -x \ -b dc=example,dc=com \ -D "cn=<SA-CN>,dc=example,dc=com" \ -w <SA-PASS> "(cn=<some-user-cn>)"
    • --
      Common name for the Prisma Cloud service account.
    • Password for the Prisma Cloud service account.
    • Common name for a user in your LDAP directory.
  3. Open Console, and go to
    Manage > Authentication > Identity Providers > LDAP
  4. Set
    Integrate LDAP users and groups with Prisma Cloud
  5. For
    Authentication type
    , select
  6. For
    Path to LDAP service
    , enter the LDAP server and port number in the following format:
    For secure connections over TLS: ldaps://<server-dns>:<port-number>.
    For insecure connections: ldap://<server-dns>:<port-number>
  7. For
    Search base
    , enter the base DN for your users and groups.
  8. (OPTIONAL) For
    User identifier
    , specify an attribute to be used to match users.
    For example, enter uid to match users based on their user IDs.
  9. For
    Service account UPN
    , enter the DN for your Prisma Cloud service account.
  10. For
    Service account password
    , enter the password for the Prisma Cloud service account.