How do I configure a secure LDAP connection like LDAPS or LDAP start TLS within CM1?
Hi Barry,
I’m going to need some time to look into this for you. I’ll get back to you as soon as I know more.
Nathaniel
Barry,
I have engineering following up with me on this. The LDAP documentation lists out the files and settings needed for standard LDAP access on port 389 but we haven’t documented any steps for a secure LDAP connection. I should have an answer for you on this soon and will update our documentation appropriately in addition.
To start setting up LDAP for CM1, refer to the instructions outlined here: Configuring LDAP
There are only a couple differences and extra steps that are required when configuring LDAP with SSL (LDAPS) when compared to the basic LDAP instructions:
-
Import the public key for the SSL certificate from the LDAP server into the CM1 server’s JRE and in the client tools security folder.
-
In the configuration where you specify the provider URI, use “ldaps” as the protocol instead of “ldap”.
-
Set the port number to your SSL port for LDAP. Typically, this is 636.
To import the certificate, place the LDAP server certificate into the Percussion\JRE\bin folder. If you are running a 64bit OS, the folder will be Percussion\JRE64\bin. In this same folder is a keytool used to import the cert. Run this tool with the following parameters to import the cert.
“keytool -import -trustcacerts -alias [YOUR ALIAS] -keystore …/lib/security/cacerts -storepass changeit -noprompt -file [CERT FILE NAME]”
where [YOURALIAS] is the server name alias provided at the time the certificate was created.
Once that is done, set up the config file for LDAPS. If you are not sure whether your JRE is 32 or 64bit, look in the PercussionServer.lax file in the at the “lax.nl.current.vm” value. JRE64 is used for 64bit installs.
Please let us know if this helps you out.
I just tried making those changes and I seem to have an issue with item number 2. In the ldapserver.xml file I added <host>ldaps://MYLDAPSERVER</host> <port>636</port> and now in the console.log file I get this error:
ERROR [PSUserService] Failed to connect to Directory Server: An unknown naming exception was caught. The error message was: Invalid name: /MYLDAPSERVER:636/ou=users,o=tree
We’re going to need engineering look into the cause of your error message. We’ll be in contact when we have a solution for you.
Daved,
Do we have a timeline on when the ldaps protocol will be available for us to use?
There is no timeline for this enhancement at this time. We are using this community to help us in the prioritization of customer-requested enhancements. Daved can convert this topic into an Idea and as customers vote on this, we can prioritize appropriately.
Good recommendation, Dan. I just changed this topic into an Idea.
How are others securely connecting to their ldap servers then?
Tom, we have found that, at this time, secure LDAP connections are not possible in CM1.
Delivered in 2.10
Where can I find the documentation to implement it?
Hi Matt,
Our LDAP configuration guide on our help site has been updated to reflect the new LDAPS configuration steps:
Let me know if you have any trouble setting this up.
Barry,
I checked into this a little further and, though the configuration information is there, the system is not supporting the “ldaps://” protocol at this time. Because of this, I have gone ahead and put a request in to engineering for this to be corrected so you can successfully use ldaps for your environment.
I apologize for the misinformation.