The TLS certificate used for LDAPS must be created using Active Directory Certificate Services.
Export Root CA from Active Directory Server
Log into the Active Directory domain server as a Domain Administrator:
Open the CA Microsoft Management Console (MMC) GUI from Start → Windows Administrative Tools → Certificate Authority
Right-click on the CA Server and select Properties:
Select View Certificate from the General menu:
Select Details followed by Copy to File…:
Use the Certificate Export Wizard to save the CA certificate file:
Select Next followed by Base-64 encoded X.509 (.CER):
Select Browse to select the path where the root-CA is saved:
Select Next.
Install the Root CA on Swarm Content Gateway
Copy the root-CA (acme-ca-bundle.crt) to the following location on all Swarm Content Gateway servers:
/etc/pki/ca-trust/source/anchors/acme-ca-bundle.crt
Run the following command on each Swarm Content Gateway server:
update-ca-trust
Restart the Swarm Content Gateway Services on each Swarm Content Gateway:
systemctl restart cloudgateway
Test LDAPS connection from Swarm Content Gateway
Download the acert certificate verification utility to each Swarm Content Gateway server and verify the file against the SHA-256 checksums listed on the Duo Certification Verification Utility website:
cd /root/datacore curl -fLO https://dl.duosecurity.com/acert-linux chmod +x acert-linux
Verify all Swarm Content Gateway servers can reach the Active Directory server using tools such as ping, traceroute, or equivalent).
Run the following command to verify the LDAPS certificate:
./acert-linux -host ad.acme.local -port 636
Or test with curl
curl "ldaps://acme.local:636/dc=acme,dc=local" -u "CN=ldapuser,CN=Users,DC=acme,DC=local" -vvv
Output:
Enter host password for user 'CN=ldapuser,CN=Users,DC=acme,DC=local': * About to connect() to acme.local port 636 (#0) * Trying 172.16.30.88... * Connected to acme.local (172.16.30.88) port 636 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS: client certificate not found (nickname not specified) * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: (nil) * start date: Jul 16 12:37:51 2023 GMT * expire date: Jul 16 12:47:51 2025 GMT * common name: (nil) * issuer: CN=acme-CA,DC=acme,DC=local * LDAP local: ldaps://acme.local:636/dc=acme,dc=local
Configure LDAPS on Swarm Content Gateway
Create a User account that can log in to Active Directory with read only access to LDAP/LDAPS.
Refer to https://perifery.atlassian.net/wiki/spaces/public/pages/2443816826/IDSYS+Document+Format#LDAP-and-AD-Fields to configure gateway authentication with Active Directory LDAP.
Change the protocol
ldap ➔ ldaps
Port 389 ➔ 636
Use the LDAPS/AD credentials to log in to the Content Gateway portal (UIC).
{ "ldap": { "name": "ad-ldap", "description": "This is acem.local Active Directory LDAP configuration", "protocol": "ldaps", "ldaphost": "acme.local", "ldapport": "636", "adminDN": "CN=ldapuser,CN=Users,DC=acme,DC=local", "adminPassword": "P@ssw0rd", "userBase": "CN=Users,DC=acme,DC=local", "groupBase": "CN=Domain Admins,CN=Users,DC=acme,DC=local", "uidAttribute": "sAMAccountName", "userFilter": "objectclass=*", "groupMemberDNAttr": "", "groupMemberUidAttr": "member", "cookieName": "token", "tokenPath": "/.TOKEN/", "s3SecretKeyAttr": "dcadmin@" } }
In case the test login to the Swarm Content Gateway UI fails:
Verify errors by Request ID in
/var/log/caringo/cloudgateway_server.log
and follow the troubleshooting steps in LDAP Configuration .grep 'request_id' /var/log/caringo/cloudgateway_server.log
Sample certificate error:
2023-04-07 09:39:18,309 ERROR [qtp1357686726-9493|BC005B3EB68626F8] LDAPIdsys: Unable to connect to identity system ldaps://ad01.acme.internal:636 as ldapUser@acme.internal: javax.naming.CommunicationException: simple bind failed: ad01.acme.internal:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
The configuration for LDAPS/AD integration should be complete if no errors occur.