Enable LDAPS Authentication with Active Directory on Swarm Gateway

Export Root CA from Active Directory Server

1. Log into the Active Directory domain server as a Domain Administrator:

   1. Open the CA Microsoft Management Console (MMC) GUI from Start → Windows Administrative Tools → Certificate Authority

      Open

      

   2. Right-click on the CA Server and select Properties:

      Open

      

   3. Select View Certificate from the General menu:

      Open

      

       

   4. Select Details followed by Copy to File…:

      Open

      

       

   5. Use the Certificate Export Wizard to save the CA certificate file:

      Open

      

   6. Select Next followed by Base-64 encoded X.509 (.CER):

      Open

      

   7. Select Browse to select the path where the root-CA is saved:

      Open

      

   8. Select Next.

Install the Root CA on Swarm Content Gateway

1. Copy the root-CA (acme-ca-bundle.crt) to the following location on all Swarm Content Gateway servers:

   /etc/pki/ca-trust/source/anchors/acme-ca-bundle.crt

2. Run the following command on each Swarm Content Gateway server:

   update-ca-trust

3. Restart the Swarm Content Gateway Services on each Swarm Content Gateway:

   systemctl restart cloudgateway

Test LDAPS connection from Swarm Content Gateway

1. Download the acert certificate verification utility to each Swarm Content Gateway server and verify the file against the SHA-256 checksums listed on the Duo Certification Verification Utility website:

   cd /root/datacore curl -fLO https://dl.duosecurity.com/acert-linux chmod +x acert-linux

2. Verify all Swarm Content Gateway servers can reach the Active Directory server using tools such as ping, traceroute, or equivalent).

3. Run the following command to verify the LDAPS certificate:

   ./acert-linux -host ad.acme.local -port 3269

Or test using curl command line result with Connected

Output:

Configure LDAPS on Swarm Content Gateway

1. Create a User account that can log in to Active Directory with read only access to LDAP/LDAPS.

2. Refer to IDSYS Document Format | LDAP and AD Fields to configure gateway authentication with Active Directory LDAP.

3. Change the protocol

   1. Protocol: ldap ➔ ldaps

   2. ldapPort: 389 ➔ 3269 (Global Catalog LDAPS port recommended)

      1. Confirm that the domain controller supports the Global Catalog and is listening on port 3269

      2. Verify the LDAPS certificate includes the correct FQDN for the domain controller

4. Use the LDAPS/AD credentials to log in to the Content Gateway portal (UIC).

   { "ldap": { "name": "ad-ldap", "description": "This is acem.local Active Directory LDAP configuration", "protocol": "ldaps", "ldaphost": "acme.local", "ldapport": "3269", "adminDN": "CN=ldapuser,CN=Users,DC=acme,DC=local", "adminPassword": "P@ssw0rd", "userBase": "CN=Users,DC=acme,DC=local", "groupBase": "CN=Domain Admins,CN=Users,DC=acme,DC=local", "uidAttribute": "sAMAccountName", "userFilter": "objectclass=*", "groupMemberDNAttr": "", "groupMemberUidAttr": "member", "cookieName": "token", "tokenPath": "/.TOKEN/", "s3SecretKeyAttr": "dcadmin@" } }

5. In case the test login to the Swarm Content Gateway UI fails:
   
   

   Open

   

6. Verify errors by Request ID in /var/log/caringo/cloudgateway_server.log and follow the troubleshooting steps in LDAP Configuration .

   grep 'request_id' /var/log/caringo/cloudgateway_server.log

   Sample certificate error:
   2023-04-07 09:39:18,309 ERROR [qtp1357686726-9493|BC005B3EB68626F8] LDAPIdsys: Unable to connect to identity system ldaps://ad01.acme.internal:3269 as ldapUser@acme.internal: javax.naming.CommunicationException: simple bind failed: ad01.acme.internal:3269 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

The configuration for LDAPS/AD integration should be complete if no errors occur.