Connecting to an LDAP/Active Directory Service Over SSL
Most modern LDAP service implementations offer support for secure LDAP traffic by running the protocol over SSL. To configure Datameer to use such a service, there are a few steps:
- Import the server's public key certificate into the Java Virtual Machine (JVM) used by Datameer.
- Restart Datameer.
- Configure the Datameer LDAP Authenticator server URL to use the appropriate protocol and port.
Import the server's public key certificate into the JVM used by Datameer
First you need to retrieve the server's public key certificate. This can be done from the command line using a properly configured SSL library, OpenSSL for example. If you don't have access to a similar tool, contact your LDAP/Active Directory administrator to get the certificate.
To retrieve the server's public key, run the following command from a machine configured with openssl and with network access to the LDAP/Active Directory service. This is most likely the Datameer machine but doesn't have to be.
Copy the public key certificate contents from the output of this command, as in this output snippet.
You want to copy everything between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, inclusive, and paste it into a file, which is called
das_ldap.pub for demonstration purposes.
Once you have the server's public key certificate, you must use the java
keytool utility to add the certificate to the JVM's keystore. To install the certificate, run the following command:
Make sure you run this command using the
keytool binary and JRE paths for the JVM used by Datameer. Check JAVA_HOME for your setup and ensure it points to the Datameer JVM and that $JAVA_HOME/bin is the first JDK/JRE on your path. The command should be run as root or with sudo unless the JDK is wholly owned by the Datameer user.
Keystore might ask for a password upon running the keytool command. The default is 'changeit' or 'changeme'. Otherwise you should ask your system administrator.
JAVA_HOME is the same Java installation that Datameer is currently leveraging. Choose an appropriate alias for your service and replace <LDAP.YOURDOMAIN.COM>. You might need to manually expand JAVA_HOME and use the fully qualified path to ensure the command succeeds depending on your environment. The command should output some metadata about the certificate and then prompt you to trust the certificate. Enter
yes and you should see "Certificate was added to keystore" as below:
Once the key is properly installed, you can move on to configuring the appropriate server URL in the Datameer Authentication configuration screen after restarting.
Next, you must restart the Datameer conductor service for changes to take effect:
Or if you are running a Debian or RPM based installation:
Configure the Datameer LDAP authenticator server URL to use the appropriate protocol and port
Finally, to enable LDAPS, use
ldaps as the protocol portion of the server URL and provide the correct port for your installation, usually
Now you can configure the remaining Authenticator settings and start loading users securely over LDAPS.
Saving Changes to the Cache
If you update the refresh interval of the cache to a different number of minutes, you need to save the new value. To do so, click Rebuild Cache.