HELP FILE

LastPass Universal Proxy LDAPS configuration using command line

    Before you begin:
    Note: Requirements for the configuration process:
    • Microsoft Windows operating system
    • Windows PowerShell 3.0 or higher
    Note: This feature requires an account with the LastPass Business + Advanced MFA add-on. How do I upgrade my LastPass Business account with an add-on?
    Note: In order to configure Universal Proxy for LDAPS you should have valid certificates.
    1. Configure the following parameters. Available selections are in brackets, and default selections are in parentheses.

      Select the protocol [LDAP, LDAPS, RADIUS]:
      LDAPS
      Select the challenge mode [LP, PLP, SFA]:
      Enter the server mode of the Universal Proxy.

      For more information on server modes, see Server Modes.

    2. Configure the LDAP server setup.
      • LastPass MFA Authentication [LP]
        Enter the LDAP server type [auto, ms, openldap] (auto):
        The default LDAP server type is auto, which determines the LDAP server type based on the operating system. Setting this value to ms means that Active Directory attributes will be used, whereas setting this value to openldap means that OpenLDAP attributes will be used.
        Enter the listening port of the Universal Proxy (636):
        The default value is 636. This is the port on which the Universal Proxy listens to for incoming requests. This value can be changed.
        Enter the name of your company:
        The company name that appears in the end users MFA application when they receive a push notification from your system.
        Enter the CLS integration key:
        The LastPass CLS integration key that you retrieved from the LastPass new Admin Console. For more information, see How do I find the integration key?.
        Enter the CLS integration secret:
        The LastPass CLS integration secret that you retrieved from the LastPass new Admin Console. For more information, see How do I find the integration key?.
        Enter the distinguished name of the LDAP admin user:
        The distinguished name of the LDAP administrator, in the following format: CN=admin,CN=Users,DC=example,DC=com.
        Enter the admin password:
        The password of the LDAP administrator.
        Enter SSL certificate file path:
        The path to the SSL server certificate. The certificate should be in PEM format.
        Enter SSL private key file path:
        The private key of the SSL certificate. The certificate should be in PEM format.
        Note:

        If your private key is password-protected, remove the password protection before adding it.

      • LastPass MFA or password authentication [PLP]
        Enter the LDAP server type [auto, ms, openldap] (auto):
        The default LDAP server type is auto, which determines the LDAP server type based on the operating system. Setting this value to ms means that Active Directory attributes will be used, whereas setting this value to openldap means that OpenLDAP attributes will be used.
        Enter the listening port of the Universal Proxy (636):
        The default value is 636. This is the port on which the Universal Proxy listens to for incoming requests. This value can be changed.
        Enter the name of your company:
        The company name that appears in the end users MFA application when they receive a push notification from your system.
        Enter the CLS integration key:
        The LastPass CLS integration key that you retrieved from the LastPass new Admin Console. For more information, see How do I find the integration key?.
        Enter the CLS integration secret:
        The LastPass CLS integration secret that you retrieved from the LastPass new Admin Console. For more information, see How do I find the integration key?.
        Enter the LDAP server IP address:
        The IP address or a DNS name of your Active Directory server.
        Enter the LDAP server port (636):
        This is the port on which the Active Directory listens to for incoming requests.
        Enter the distinguished name of the LDAP admin user:
        The distinguished name of the LDAP administrator, in the following format: CN=admin,CN=Users,DC=example,DC=com.
        Enter SSL certificate file path:
        The path to the SSL server certificate. The certificate should be in PEM format.
        Enter SSL private key file path:
        The private key of the SSL certificate. The certificate should be in PEM format.
        Note:

        If your private key is password-protected, remove the password protection before adding it.

        Enter SSL CA certificate file path:
        The path to the CA’s certificate. This is the certificate of the CA who issued your AD's SSL certificate. The certificate should be in PEM format. There can be multiple CA certificates in one single file.
        Note: This field is mandatory.
      • Both LastPass MFA and password authentication [SFA]
        Enter the LDAP server type [auto, ms, openldap] (auto):
        The default LDAP server type is auto, which determines the LDAP server type based on the operating system. Setting this value to ms means that Active Directory attributes will be used, whereas setting this value to openldap means that OpenLDAP attributes will be used.
        Enter the listening port of the Universal Proxy (636):
        The default value is 636. This is the port on which the Universal Proxy listens to for incoming requests. This value can be changed.
        Enter the name of your company:
        The company name that appears in the end users MFA application when they receive a push notification from your system.
        Enter the CLS integration key:
        The LastPass CLS integration key that you retrieved from the LastPass new Admin Console. For more information, see How do I find the integration key?.
        Enter the CLS integration secret:
        The LastPass CLS integration secret that you retrieved from the LastPass new Admin Console. For more information, see How do I find the integration key?.
        Enter the LDAP server IP address:
        The IP address or a DNS name of your Active Directory server.
        Enter the LDAP server port (636):
        This is the port on which the Active Directory listens to for incoming requests.
        Enter the distinguished name of the LDAP admin user:
        The distinguished name for the LDAP administrator, in the following format: CN=admin,CN=Users,DC=example,DC=com.
        Enter SSL certificate file path:
        The path to the SSL server certificate. The certificate should be in PEM format.
        Enter SSL private key file path:
        The private key of the SSL certificate. The certificate should be in PEM format.
        Note:

        If your private key is password-protected, remove the password protection before adding it.

        Enter SSL CA certificate file path:
        The path to the CA’s certificate. This is the certificate of the CA who issued your AD's SSL certificate. The certificate should be in PEM format. There can be multiple CA certificates in one single file.
        Note: This field is mandatory.
    3. Once configured, you must restart the Windows service for the LastPass Universal Proxy as follows:

      Open PowerShell and execute the following command:

      uproxy -restart
      Important: You can check the service status in the following ways:
      • In the Services window, the Status of LastPass Universal Proxy must be listed as Running, and the Startup Type should be listed as Automatic. In case the server must reboot, the LastPass Universal Proxy service will automatically start.
      • In the Task Manager window under the Services tab, the Status of Universal Proxy must be listed ad Running.
      • Open PowerShell and execute the following command:

        uproxy -status

    What to do next: It is highly recommended to restrict access to the configuration file that has been created as a result of configuring the LastPass Universal Proxy. For the specific steps, see How do I restrict access to my configuration file for the LastPass Universal Proxy?