This topic describes using LDAP authentication against an MS Active Directory tree.
Please do the following before contacting technical support on this provider:
In Active Directory (AD), the Distinguished Name (DN) of a user is something like:
CN=George L. Sexton,OU=Users,DC=XYZ,DC=COM
This is unfortunate because we do not want Users to have to type in their full name as a User ID to our system.
As a solution, the AD authentication provider does a lookup of the DN by querying for their userPrincipalName. You can change the field to be the SAMAccountName if desired. Edit the searchField value in the ldap.properties configuration file to change this setting.
By default, the AD LDAP implementation does not allow anonymous bind. You have two ways of handling this:
If your AD server does not already have the Certificate Authority software installed, get and follow KB Article Q247078.
Export the CA certification from your certificate authority in DER format.
Import the CA certificate from your Certificate Authority installation into a new keystore file using the command:
keytool -import -file file.cer -keystore \
sslkey.keystore -alias "type=r.name=sslkey"
Once you've created the keystore file, change the SSLTrustStore path entry in the ldap.properties file to point to it.
If your Domain Controller/LDAP server is not the same server as the Certification Authority server, it may be necessary to go to the Issued Certificates section of the Certificate Authority program and locate the certificate issued to your domain controller. Once you locate that certificate, import it using the command shown above.
Follow the rest of the LDAP configuration instructions in the Configuring LDAP Authentication topic.
If it's not working, first try disabling SSL by editing the LDAP.properties file. Once you have authentication working without SSL, re-enable SSL and follow these steps: To debug the SSL connection sequence, define
On Windows, this is done by editing the value for:
HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Procrun 2.0\ConnectDaily\Parameters\Java\Options
This will send debug information to stdout. You should see the certificate exchange and certificate details. Make sure the matching certificate is in the keystore.
If you see a disconnect before the exchange of the certificate from the server, refer to MS KB Article 321051. This article contains information even if you are not using a 3rd party SSL certificate.
See Also: Automatically Creating Users