Find here the information about configuring a secured LDAPS authentication. |
You can keep LDAP traffic confidential and secure by using SSL/ Transport Layer Security (TSL) technology where the protocol is running over SSL. |
To configure to an LDAPS:
To import the server's public certificate into the Java Virtual Machine:
Retrieve the server's public key certificate by running the following command from a properly configured SSL library, e.g. OpenSSL, and with network access to the LDAP/ Active Directory service.
INFO: If you don't have access to a similar tool, contact your LDAP/ Active Directory administrator to get the certificate.
openssl s_client -connect ldap.datameer.local:636 |
openssl s_client -connect win2012.datameer.local:3269 |
Copy the public key certificate contents from the output of this command, as in this output snippet example shown.
INFO: Copy the information from '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' (inclusive).
... Certificate chain 0 s: i:/DC=local/DC=datameer/CN=datameer-WIN2008-CA --- Server certificate -----BEGIN CERTIFICATE----- MIIGPTCCBSWgAwIBAgIKI3DaRAAAAAAABjANBgkqhkiG9w0BAQUFADBPMRUwEwYK CZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghkYXRhbWVlcjEcMBoG A1UEAxMTZGF0YW1lZXItV0lOMjAwOC1DQTAeFw0xMTEwMTgyMjE1MjVaFw0xMjEw [...] yBcPZU3Xk/ouciWGpVmuO3X/UZvGPYDQ6XryqHBNzpfv2LMXHXw1P8xHGEMh8PbT qBSoa9Q+SysqdNUNO8rwawHBtQ86/kIydbjto/UR3qN7Pr11lGlSKGmBKbmxT6p/ K6oqUZHmJi3BZpUt1Ii1oOOJOU0vqq5KAnroLzcdMm0US9T8wCdzp/++01HflP53 A5tUxC+lY4tprMtLkVLcy88= -----END CERTIFICATE----- subject= issuer=/DC=local/DC=datameer/CN=datameer-WIN2008-CA --- Acceptable client certificate CA names /CN=win2008.datameer.local .... |
Use the Java Key tool utility to add the certificate to the JVM's KeyStore by running the command:
INFO: Ensure to run the command using the keytool binary and JRE paths for the JVM used by Datameer X. Check 'JAVA_HOME' for your setup and ensure it points to the Datameer X JVM and that '$JAVA_HOME/bin' is the first JDK/ JRE on your path. The command should be run as root or with sudo unless the JDK is wholly owned by the Datameer X user.
sudo keytool -import -alias <LDAP.YOURDOMAIN.COM> -keystore ${JAVA_HOME}/jre/lib/security/cacerts -file das_ldap.pub |
Enter "yes". The response 'Certificate was added to KeyStore' appears. The server's public key is installed successfully.
Trust this certificate? [no]: yes Certificate was added to keystore |
Restart the Datameer X conductor service for changes to take effect:
${DAS_HOME}/bin/conductor.sh restart |
INFO: If you are running a Debian or RPM based installation enter:
sudo /etc/init.d/das-conductor restart |
To enable LDAPS:
If you update the refresh interval of the cache to a different number of minutes, you need to save the new value. To do so, click Rebuild Cache.