NOTE: The TLS certificate used for LDAPS must be created using Active Directory Certificate Services!
Export Root CA from Active Directory Server
Log into the Active Directory domain server as domain administrator:
Click Start → Windows Administrative Tools → Certificate Authority to open the CA Microsoft Management Console (MMC) GUI.
Highlight the CA server and right-click to select CA Properties:
From General menu, click View Certificate:
Select the Details view and click Copy to File on the lower-right corner of the window:
Use the Certificate Export Wizard to save the CA certificate file:
Click Next, then select Base-64 encoded X.509 (.CER):
Click Browse to select path to save the root-CA:
Click Finish.
Install Root CA on Swarm Gateway
Copy the root-CA (acme-ca-bundle.crt) to all Swarm Gateway servers:
/etc/pki/ca-trust/source/anchors/acme-ca-bundle.crt
Run the following command on each Gateway server:
update-ca-trust
Restart Gateway Services on each Gateway:
systemctl restart cloudgateway
Test LDAPS connection from Swarm Gateway
Download the Duo Certification Verification Utility to each Swarm Gateway:
cd /root/datacore
curl -fLO https://dl.duosecurity.com/acert-linux
chmod +x acert-linux
Make sure each Gateway server can reach the Active Directory server (e.g. ping / traceroute or equivalent).
Run the following command to verify the LDAPS certificate:
./acert-linux -host ad.acme.local -port 636
Configure LDAPS on Swarm Gateway
Create a User account that can log in to Active Directory with read only access to LDAP/LDAPS.
Refer to LDAP Configuration to configure gateway authenticate with Active Directory LDAP.
Change protocol
ldap ➔ ldaps
Port 389 ➔ 636
Now, test if you are able log in to the UIC (content) Gateway portal using LDAPS/AD credentials.
In case the test login to Swarm Gateway UI failed:
Verify errors by Request ID in
/var/log/caringo/cloudgateway_server.log
and follow the troubleshooting steps in LDAP Configuration .grep 'request_id' /var/log/caringo/cloudgateway_server.log
Sample certificate error:2023-04-07 09:39:18,309 ERROR [qtp1357686726-9493|BC005B3EB68626F8] LDAPIdsys: Unable to connect to identity system ldaps://ad01.acme.internal:636 as ldapUser@acme.internal: javax.naming.CommunicationException: simple bind failed: ad01.acme.internal:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
Otherwise, your configuration for LDAPS/AD integration should be complete!