This article will assist you with configuring LDAP with your Directory Server within CruzOC.
Step 1: LDAP Configuration Admin
In a browser, URL/port such as ldaps://yourLDAPserver.com:636
Additionally, if your LDAP server is generating and using its own self-signed SSL certificate (common on Windows Active Directory service), then you will also need to export that certificate from your LDAP server and add/import it to the CruzOC application's list of trusted root certificates.
Step 2 - Adding a Trusted Root Certificate to CruzOC
Perform the following export on the webserver in a command line window
Source the OWARE Environment
cmd> oware (for windows) only
Export LDAP SSL certificate as a file with name: 'ldapcert.cer'
Format: "DER Encoded Binary X-509 format"
Active Directory
NOTE: If using Active Directory, see the section below for export steps.
Copy exported LDAP certificate file (e.g., 'ldapcert.cer') to directory: $OWARE_USER_ROOT/oware/certs/
NOTE: Windows directory equivalent is: %OWARE_USER_ROOT%\oware\certs\
Step 3: Create LDAP Certificate
In command line
Source the OWARE Environment
cmd> oware (for windows) or . /etc/.dsienv (for Linux)
Execute command to import the LDAP certificate:
cmd>keytool -import -trustcacerts -Keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias ldapserver -file
Excepted OUTPUT:
Certificate was added to keystore
Execute command to confirm certificate imported:
keytool.exe -list -alias ldapserver -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
Excepted OUTPUT (example, NOT actual):
ldapserver, Mar 18, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): D4:72:37:3A:0E:B5:80:48:F4:FE:AD:4E:1F:59:BD:E2:25:92:E3:9F
Step 4: Restart the webserver service
Windows:
cmd> net stop synergy
cmd> net start synergy
Linux:
Linux# service synergy stop
Linux# service synergy start
Exporting Certificate from Microsoft Active Directory
Open the Certification Authority console from any domain-joined computer or server. This console must be attached to the certification authority. The Certification Authority console can be opened by searching for "Certification Authority" in the start button, or going to Run and using certsrv.msc command.
Right-click on the name of the certification authority and then select Properties.
In the CA certificates dialog box, choose the General tab and select the certificate for the certification authority you want to access.
Choose View Certificate.
In the Certificate dialog box, choose the Certification Authority tab. Select the name of the root certification authority and then choose View Certificate.
In the Certificate dialog box, choose the Details tab and then choose Copy to File.
The Certificate Export Wizard will appear. Choose Next; no need to export private key.
On the Export File Format page, select the DER Encoded Binary X-509 format option.
Choose Next.
In the File to Export box, choose the path and name for the certificate, and then choose Next.
Choose Finish. The .cer file will be created in the location that you specified in the previous step.
Finally, a dialog box will appear to inform the user that the export was successful. Choose OK to finish.
NOTE: You can restrict LDAP authentication to members of a specific AD group. Additionally, there is no need to "Import" these users, so the LDAP setting for "Import Enabled" can remain unchecked.
Configure LDAP group restriction by changing your LDAP "Authentication Search Filter".
Here's the default "Authentication Search Filter", which does not restrict by group:
(&(objectCategory=person)(sAMAccountName=@screen_name@))
To restrict authentication to ONLY members of a group called "OMNM Users", set "Authentication Search Filter":
(&(objectCategory=Person)(sAMAccountName=@screen_name@) (|(memberOf=cn=OMNM Users,cn=Users,dc=doradotest,dc=com)))