Previous Topic

Next Topic

Book Contents

Book Index

Configuring Active Directory Authentication

This topic describes using LDAP authentication against an MS Active Directory tree.

Please do the following before contacting technical support on this provider:

  1. Please read the following documentation closely:
  2. Download an LDAP browser like JXplorer. You can use the LDP program that comes on the MS Win2k Server CDROM, but JXplorer is going to be easier to follow.

Overview

In Active Directory (AD), the Distinguished Name (DN) of a user is something like:

CN=George L. Sexton,OU=Users,DC=XYZ,DC=COM

This is unfortunate because we do not want Users to have to type in their full name as a User ID to our system.

As a solution, the AD authentication provider does a lookup of the DN by querying for their userPrincipalName. You can change the field to be the SAMAccountName if desired. Edit the searchField value in the ldap.properties configuration file to change this setting.

By default, the AD LDAP implementation does not allow anonymous bind. You have two ways of handling this:

  1. Configure your AD tree to allow anonymous bind. Essentially, you will need to create an ACL against the appropriate object (container) in the tree.
  2. Create a low-powered User that has READ access to the directory tree and set the lookupDN and lookupPassword values in ldap.properties to these values.

SSL LDAP Setup on Windows

If your AD server does not already have the Certificate Authority software installed, get and follow KB Article Q247078.

Export the CA certification from your certificate authority in DER format.

  1. Start the Certification Authority Manager program.
  2. Right click on the Certification Authority and select properties.
  3. On the General tab, click on the View Certificate button.
  4. When the Certificate dialog appears, change to the Details tab.
  5. Click on the Copy to File button.
  6. Set the export file format to DER encoded binary X.509.
  7. Hit Next and assign a file name; finish the Export Certificate Wizard.

Import the CA certificate from your Certificate Authority installation into a new keystore file using the command:

keytool -import -file file.cer -keystore \
sslkey.keystore -alias "type=r.name=sslkey"

Once you've created the keystore file, change the SSLTrustStore path entry in the ldap.properties file to point to it.

If your Domain Controller/LDAP server is not the same server as the Certification Authority server, it may be necessary to go to the Issued Certificates section of the Certificate Authority program and locate the certificate issued to your domain controller. Once you locate that certificate, import it using the command shown above.

Follow the rest of the LDAP configuration instructions in the Configuring LDAP Authentication topic.

Debugging Notes

If it's not working, first try disabling SSL by editing the LDAP.properties file. Once you have authentication working without SSL, re-enable SSL and follow these steps: To debug the SSL connection sequence, define

-Djavax.net.debug=ssl:record

or

-Djavax.net.debug=ssl:handshake

On Windows, this is done by editing the value for:

HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Procrun 2.0\ConnectDaily\Parameters\Java\Options

This will send debug information to stdout. You should see the certificate exchange and certificate details. Make sure the matching certificate is in the keystore.

If you see a disconnect before the exchange of the certificate from the server, refer to MS KB Article 321051. This article contains information even if you are not using a 3rd party SSL certificate.

http://support.microsoft.com/kb/321051

See Also: Automatically Creating Users

See Also

Authentication Architecture

Implementation Notes on MD5 Authenticator

Configuring LDAP Authentication

Debugging LDAP/AD Authentication

Configuring Container Authentication

Configuring Windows Integrated Authentication

Automatically Creating Users