Configuring LDAP authentication

Introduction to LDAP authentication in ConSol CM

LDAP authentication is an authentication method which can be used to verify the identify of users in the Web Client and contacts in CM/Track.

Concepts, terms and definitions

Concept	Other terms	Definition
LDAP		Abbreviation of Lightweight Directory Access Protocol, protocol to manage login information for several applications
LDAPS	LDAP over SSL, secure LDAP	LDAP using SSL for communication

Basic tasks

Setting up LDAP for the Web Client

The LDAP server can be defined using the following system properties from the module cmas-core-security.

The placeholder {name} allows to define configurations for several different LDAP servers. It always needs to be provided, even if you only configure one LDAP server. You should use a simple string, which does not include any keywords as internal or external and does not contain special characters.

Authentication attempts against the LDAP servers are made until the first success, starting with the first server in an ascending alphabetical order.

Set the following system properties in the Web Admin Suite, see System properties:

• engineer.authentication.method
  LDAP
• ldap.engineer.{name}.basedn
  The root path in the LDAP tree used to look up the user by the LDAP ID, e.g. ou=accounts,dc=mycompany,dc=de.
• ldap.engineer.{name}.password
  The password used for connecting to the LDAP server to look up the users. Only needed if the lookup cannot be done anonymously.
  
• ldap.engineer.{name}.providerurl
  The complete address of the LDAP server in the format ldap[s]://host:port. Usually, the standard port is 636 and the port for the global catalog is 3269.
• ldap.engineer.{name}.searchattr
  Search attribute to look up a user by LDAP ID, e.g. uid.
  
• ldap.engineer.{name}.userdn
  The LDAP user for connecting to the LDAP server to look up the users. Only needed if the lookup cannot be done anonymously.
• ldap.initialcontextfactory
  This is a predefined global property. The value should be com.sun.jndi.ldap.LdapCtxFactory.

The LDAP IDs for the users are saved on the Users page of the Web Admin Suite.

Setting up LDAP for CM/Track

The LDAP server can be defined using the following system properties from the module cmas-core-security.

The placeholder {name} allows to define configurations for several different LDAP servers. It always needs to be provided, even if you only configure one LDAP server. You should use a simple string, which does not include any keywords as internal or external and does not contain special characters.

Authentication attempts against the LDAP servers are made until the first success, starting with the first server in an ascending alphabetical order.

Set the following system properties in the Web Admin Suite, see System properties:

• contact.authentication.method
  LDAP
• ldap.contact.{name}.basedn
  The root path in the LDAP tree used to look up the contact by the LDAP ID, e.g. ou=accounts,dc=mycompany,dc=de.
• ldap.contact.{name}.password
  The password used for connecting to the LDAP server to look up the contacts. Only needed if the lookup cannot be done anonymously.
• ldap.contact.{name}.providerurl
  The complete address of the LDAP server in the format ldap[s]://host:port. Usually, the standard port is 636 and the port for the global catalog is 3269.
• ldap.contact.{name}.searchattr
  Search attribute to look up a contact by LDAP ID, e.g. uid.
• ldap.contact.{name}.userdn
  The LDAP user for connecting to the LDAP server to look up the contacts. Only needed if the lookup cannot be done anonymously.
• ldap.initialcontextfactory
  This is a predefined global property. The value should be com.sun.jndi.ldap.LdapCtxFactory.

These system properties might not be present initially in your CM system. Just add them manually. You do not need to restart the server after changing the above system properties. The change is applied to all cluster nodes.

The LDAP IDs for the contacts are saved in contact fields with the user name and LDAP ID settings in the Web Client.

Advanced tasks

Setting up LDAPS

Per default, when an LDAP client accesses an LDAP server, the information is transferred in clear text. In case you want the user name and password to be transferred to the LDAP server in encrypted form, you have to set up the LDAP authentication using LDAPS.

You have to configure the CM server machine (Java) in a way that can use certificates. One way to do this for a Linux environment is described in the following section.

1. Retrieve the certificate:

   openssl s_client -connect dc2.mydomain.com:ldaps

2. The answer will contain a section which starts with "---BEGIN CERTIFICATE " and ends with "END CERTIFICATE ---". Copy this section to a file, e.g., /tmp/certificate2_dc2_mydomain_com.txt

3. Import the certificate to the truststore of your machine, e.g., /home/mydirectory/mytruststore

   $JAVA_HOME/bin/keytool -import -alias <arbitrary> -trustcacerts -keystore /home/mydirectory/mytruststore -file/tmp/certificate2_dc2_mydomain_com.txt

   You have to enter (set) a password.

4. Enter the truststore in the ConSol CM config file in JAVA_OPTS:

   -Djavax.net.ssl.trustStore=/home/mydirectory/mytruststore -Djavax.net.ssl.trustStorePassword=<see above>