1. LDAP Integration
- Create a user in your LDAP server with permissions to search the LDAP directory. For example, this user could be called ‘asset-bank-app’.
- Open the settings file ([tomcat]/asset-bank/WEB-INF/classes/ApplicationSettings.properties)
- Look for the section which starts with the comment ‘Active Directory Settings’
- Change the settings according to your needs. In particular, you need to ensure that:
Enable Active Directory authentication
suspend-ad-authentication=false
We recommend enabling on-the-fly syncing to avoid the overhead of periodic syncing.
import-remote-users-on-the-fly=true
Active Directory users will be added to Asset Bank upon first login.
If you absolutely require periodic syncing you can set the period at which to synchronise. Leave this set to 0 to disable periodic syncing.
exchange-synchronise-period-millis=0
The property ‘ad-ldap-server-url’ needs to be ldap:// followed by the IP address (or domain name) of your LDAP server.
ad-ldap-server-url=ldap://<LDAP Server IP>:389
The property ‘ad-ldap-base-list’ and 'ad-ldap-on-the-fly-base-list' need to be the Distinguished Name of the node in the LDAP tree at which you want to start searching for users. Both the base lists need the same nodes defined.
Please note: If any of the nodes in this list are wrong/invalid the whole synchronisation will fail.
Example of value:
ad-ldap-base-list=CN=Users,DC=domain2,DC=bright-interactive,DC=com
The property ‘ad-wms-user-distinguished-name’ and ‘ad-wms-user-password’ should be changed to match the details of the user you created in the LDAP server in step 1.
ad-ldap-on-the-fly-base-list=CN=Users,DC=domain2,DC=bright-interactive,DC=com
ad-wms-user-distinguished-name=CN=LDAPAdmin,CN=Users,DC=domain2,DC=bright-interactive,DC=com
ad-wms-user-password=<password> - If you have more than one LDAP server (for example for backup purposes) then you can add details of these in the sections commented ‘LDAP Server 2’, ‘LDAP Server 3’, etc. The comments and examples in the settings file explain how to do this.
- To integrate Asset Bank with an LDAP server that requires SSL access, you need to:
- a) Change the protocol in the ‘ad-ldap-server-url’ property from ldap:// to ldaps://
- b) Import the contents of cacerts into a new keystore called jssecacerts
- cd into [java]/jre/lib/security
- Type the following command:
keytool -importkeystore -destkeystore jssecacerts -deststoretype jks -srcstorepass changeit -deststorepass changeit -v -noprompt -srckeystore cacerts
- c) Import the server's certificate into the keystore of the JRE, as follows:
- Make sure you are a user with permission to change files in [java]/jre/lib/security – on Windows this probably means being an administrator.
- cd into [java]/jre/lib/security : where [java]/jre is the JRE you are using to run Tomcat (you may need to check which JRE Tomcat is using).
- Make sure you know the path to the cert file [called cert.crt in the command below].
- Type the following command:
keytool -import -alias [alias for crt] -keystore jssecacerts -file [/path-to-cert/cert.crt]
Note 1: keytool needs to be in the PATH for this to work – otherwise, type the full path e.g. [java]/jre/bin/keystore.
Note 2: the default Java keystore password is 'changeit'. - Check that the keystore ‘jssecacerts’ exists and that the cert has been imported into it – the previous command should have created it if it didn’t exist already. Each keystore is stored as a file in the ‘security’ directory, i.e. a file called ‘jssecacerts’ should now exist in [java]/jre/lib/security. You can list the certs in the jssecacerts keystore with this command:
keytool -list -keystore <path/to/jssecacerts>
If the cert has not been imported for some reason we advise using JXplorer to troubleshoot (see below).
- When you have finished changing ApplicationSettings.properties you will need to restart the webapp (or Tomcat) for the changes to take effect.
2. Troubleshooting
Please see our knowledgebase article on troubleshooting LDAP integration.
Comments
0 comments
Please sign in to leave a comment.