Page tree
Skip to end of metadata
Go to start of metadata

Connecting to an LDAP/Active Directory Service Over SSL

Most modern LDAP service implementations offer support for secure LDAP traffic by running the protocol over SSL. To configure Datameer to use such a service, there are a few steps:

  1. Import the server's public key certificate into the Java Virtual Machine (JVM) used by Datameer. 
  2. Restart Datameer.
  3. Configure the Datameer LDAP Authenticator server URL to use the appropriate protocol and port.

Import the server's public key certificate into the JVM used by Datameer

First you need to retrieve the server's public key certificate. This can be done from the command line using a properly configured SSL library, OpenSSL for example. If you don't have access to a similar tool, contact your LDAP/Active Directory administrator to get the certificate.

To retrieve the server's public key, run the following command from a machine configured with openssl and with network access to the LDAP/Active Directory service. This is most likely the Datameer machine but doesn't have to be.

openssl s_client -connect win2008.datameer.local:636

Copy the public key certificate contents from the output of this command, as in this output snippet.

...
Certificate chain
 0 s:
   i:/DC=local/DC=datameer/CN=datameer-WIN2008-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGPTCCBSWgAwIBAgIKI3DaRAAAAAAABjANBgkqhkiG9w0BAQUFADBPMRUwEwYK
CZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghkYXRhbWVlcjEcMBoG
A1UEAxMTZGF0YW1lZXItV0lOMjAwOC1DQTAeFw0xMTEwMTgyMjE1MjVaFw0xMjEw

[...]

yBcPZU3Xk/ouciWGpVmuO3X/UZvGPYDQ6XryqHBNzpfv2LMXHXw1P8xHGEMh8PbT
qBSoa9Q+SysqdNUNO8rwawHBtQ86/kIydbjto/UR3qN7Pr11lGlSKGmBKbmxT6p/
K6oqUZHmJi3BZpUt1Ii1oOOJOU0vqq5KAnroLzcdMm0US9T8wCdzp/++01HflP53
A5tUxC+lY4tprMtLkVLcy88=
-----END CERTIFICATE-----
subject=
issuer=/DC=local/DC=datameer/CN=datameer-WIN2008-CA
---
Acceptable client certificate CA names
/CN=win2008.datameer.local
....

You want to copy everything between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, inclusive, and paste it into a file, which is called das_ldap.pub for demonstration purposes.

Once you have the server's public key certificate, you must use the java keytool utility to add the certificate to the JVM's keystore. To install the certificate, run the following command:

sudo keytool -import -alias <LDAP.YOURDOMAIN.COM> -keystore ${JAVA_HOME}/jre/lib/security/cacerts -file das_ldap.pub

Make sure you run this command using the keytool binary and JRE paths for the JVM used by Datameer. Check JAVA_HOME for your setup and ensure it points to the Datameer JVM and that $JAVA_HOME/bin is the first JDK/JRE on your path. The command should be run as root or with sudo unless the JDK is wholly owned by the Datameer user.

Keystore might ask for a password upon running the keytool command. The default is 'changeit' or 'changeme'. Otherwise you should ask your system administrator.

Ensure that JAVA_HOME is the same Java installation that Datameer is currently leveraging. Choose an appropriate alias for your service and replace <LDAP.YOURDOMAIN.COM>. You might need to manually expand JAVA_HOME and use the fully qualified path to ensure the command succeeds depending on your environment. The command should output some metadata about the certificate and then prompt you to trust the certificate. Enter yes and you should see "Certificate was added to keystore" as below:

Trust this certificate? [no]:  yes
Certificate was added to keystore

Once the key is properly installed, you can move on to configuring the appropriate server URL in the Datameer Authentication configuration screen after restarting.

Restart Datameer

Next, you must restart the Datameer conductor service for changes to take effect:

${DAS_HOME}/bin/conductor.sh restart

Or if you are running a Debian or RPM based installation:

sudo /etc/init.d/das-conductor restart

Configure the Datameer LDAP authenticator server URL to use the appropriate protocol and port

Finally, to enable LDAPS, use ldaps as the protocol portion of the server URL and provide the correct port for your installation, usually 636.

Now you can configure the remaining Authenticator settings and start loading users securely over LDAPS.

Saving Changes to the Cache

If you update the refresh interval of the cache to a different number of minutes, you need to save the new value. To do so, click Rebuild Cache.

  • No labels