Versions Compared

Old Version 12

changes.mady.by.user Milton Suen

Saved on

compared with

New Version 13

changes.mady.by.user Milton Suen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

The TLS certificate used for LDAPS must be created using Active Directory Certificate Services.

Export Root CA from Active Directory Server

...

Code Block
curl "ldaps://acme.local:636/dc=acme,dc=local" -u "CN=administratorldapuser,CN=Users,DC=acme,DC=local" -vvv

...

Code Block
Enter host password for user 'CN=administratorldapuser,CN=Users,DC=acme,DC=local':
* About to connect() to acme.local port 636 (#0)
*   Trying 172.16.30.88...
* Connected to acme.local (172.16.30.88) port 636 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: (nil)
*       start date: Jul 16 12:37:51 2023 GMT
*       expire date: Jul 16 12:47:51 2025 GMT
*       common name: (nil)
*       issuer: CN=acme-W2K19AD01-CA,DC=acme,DC=local
* LDAP local: ldaps://acme.local:636/dc=acme,dc=local

...

  1. Create a User account that can log in to Active Directory with read only access to LDAP/LDAPS.

  2. Refer to https://perifery.atlassian.net/wiki/spaces/public/pages/2443816826/IDSYS+Document+Format#LDAP-and-AD-Fields to configure gateway authentication with Active Directory LDAP.

  3. Change the protocol

    1. ldap ➔ ldaps

    2. Port 389 ➔ 636

  4. Use the LDAPS/AD credentials to log in to the Content Gateway portal (UIC).

    Code Block
    {
  "ldap": {
    "name": "ad-ldap",
    "description": "This is acem.local Active Directory LDAP configuration",
    "protocol": "ldaps",
    "ldaphost": "acme.local",
    "ldapport": "636",
    "adminDN": "CN=ldapuser,CN=Users,DC=acme,DC=local",
    "adminPassword": "P@ssw0rd",
    "userBase": "CN=Users,DC=acme,DC=local",
    "groupBase": "CN=Domain Admins,CN=Users,DC=acme,DC=local",
    "uidAttribute": "sAMAccountName",
    "userFilter": "objectclass=*",
    "groupMemberDNAttr": "",
    "groupMemberUidAttr": "member",
    "cookieName": "token",
    "tokenPath": "/.TOKEN/",
    "s3SecretKeyAttr": "dcadmin@"
  }
}

  5. In case the test login to the Swarm Content Gateway UI fails:

  6. Verify errors by Request ID in /var/log/caringo/cloudgateway_server.log and follow the troubleshooting steps in LDAP Configuration .

    Code Block
    grep 'request_id' /var/log/caringo/cloudgateway_server.log

    Sample certificate error:
    2023-04-07 09:39:18,309 ERROR [qtp1357686726-9493|BC005B3EB68626F8] LDAPIdsys: Unable to connect to identity system ldaps://ad01.acme.internal:636 as ldapUser@acme.internal: javax.naming.CommunicationException: simple bind failed: ad01.acme.internal:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

...