LDAP Provider Settings

Credentials of CORE users may be maintained and attested using the LDAPClosedLightweight Directory Access Protocol Directory Service Provider (LDAPClosedLightweight Directory Access Protocol Provider).

CORE system allows validating the credentials of the selected users using the LDAPClosedLightweight Directory Access Protocol Directory Service Provider (LDAPClosedLightweight Directory Access Protocol Provider).

Important
The specified LDAPClosedLightweight Directory Access Protocol Provider must support LDAPSClosedLightweight Directory Access Protocol over SSL (LDAPClosedLightweight Directory Access Protocol over SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network.) protocol.

Preparing the LDAP Provider

To integrate CORE with the directory service provider, perform the following in the LDAPClosedLightweight Directory Access Protocol Provider:

Tip
To test the settings and the connectivity to the LDAPClosedLightweight Directory Access Protocol DSP, run the ekm_test_ldap_connect script.

LDAP Settings

LDAP UCL Settings

Notes:

Tag Alias Description Default
x-DY_LDAPClosedLightweight Directory Access Protocol_PROVIDER_URL ldap-provider-url

Space-separated list of LDAPClosedLightweight Directory Access Protocol Provider URLs in the following format: ldaps://<FQDNClosedFully-qualified domain name - The complete domain name for a specific computer or host.>[:<port>].

CORE waits 2 sec for the response from the targeted URL before it tries the next URL in the list.

port: 636
x-DY_LDAPClosedLightweight Directory Access Protocol_DO_NOT_VERIFY_CERT ldap-do-not-verify-cert

Do not verify the LDAPClosedLightweight Directory Access Protocol SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. certificate.

Enable this setting only in the dev/test environment if you fail to configure the OpenLDAP server's SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. certificate with the server's name that is checked during the SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. connection establishment attempt.

0
x-DY_LDAPClosedLightweight Directory Access Protocol_CA_CERTIFICATE ldap-ca-certificate

The content of the trust certificate is used to sign the LDAPClosedLightweight Directory Access Protocol server's certificate. The CORE uses it to validate the identity certificate presented by the LDAPClosedLightweight Directory Access Protocol server.

Note: The content of the certificate is extracted from the provided .cer file. That is:

- the set command requires the file-path.

- the get command returns the content extracted from the file.

If ldap-provider-url specifies a list of servers, then the certificates of all servers in the list must be signed by this CA.

none
x-DY_LDAPClosedLightweight Directory Access Protocol_BIND_DNClosedDistinguished name - user's full name with a list of attributes that distiguish it from the other users with the same name ldap-bind-dn

The distinguished name (DNClosedDistinguished name - user's full name with a list of attributes that distiguish it from the other users with the same name) of the CORE Attendant in the LDAPClosedLightweight Directory Access Protocol Provider.

none
x-DY_LDAPClosedLightweight Directory Access Protocol_BIND_DNClosedDistinguished name - user's full name with a list of attributes that distiguish it from the other users with the same name_PWD ldap-bind-dn-password The password of the ldap-bind-dn user. none
x-DY_LDAPClosedLightweight Directory Access Protocol_SEARCH_BASE ldap_search_base

Description of a point in the LDAPClosedLightweight Directory Access Protocol tree that confines the search within branches of its subtree.

directory root

x-DY_LDAPClosedLightweight Directory Access Protocol_SEARCH_FILTER ldap-search-filter

The username-search filter.

Default (matches the MS Active Directory):

'(&(?objectClass=user)(?sAMAccountName=myid)'

When connecting to the OpenLDAP server, set it to

'(&(objectClass=posixAccount)(uid=$UKC_USER))'

 

See here

<--------

  • ldap_search_filter
  • Important
    When LDAPClosedLightweight Directory Access Protocol Provider is based on the OpenLDAP, it is mandatory to set the ldap-search-filter. In particular:
    ucl system-settings set \
    -k ldap_search_filter \
    -v '(&(objectClass=posixAccount)(uid=$UKC_USER))'

LDAP UI Settings

To present LDAPClosedLightweight Directory Access Protocol system settings, enter ldap into the search window.

For additional description, see LDAP Provider Settings and LDAP UCL Settings.

Name Description Default or Mandatory EKM Service Restart
Don't verify LDAPClosedLightweight Directory Access Protocol provider's certificate

By default, the certificate must be provided (see the next field).

Enable this setting only in the test environment if you fail to configure the OpenLDAP server's SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. certificate with the server's name that is checked during the SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. connection establishment attempt.

Default: 0

(By default, the certificate is required.

no
LDAPClosedLightweight Directory Access Protocol provider's trust certificate

The content of the LDAPClosedLightweight Directory Access Protocol Provider trust certificate.

The content is copied from the X.509 DERClosedBinary file, serialized ASN.1 structure Encoded Binary file (also known as binary .cer file).

Note
In the case of multiple LDAPClosedLightweight Directory Access Protocol Providers, all servers must use SSLClosedSecure Sockets Layer - a cryptographic protocol that provides communications security over a computer network. certificates signed by this CA.


Mandatory
no
LDAPClosedLightweight Directory Access Protocol Provider's URL

Space-separated list of LDAPClosedLightweight Directory Access Protocol Provider URLs in the following format: ldaps://<FQDNClosedFully-qualified domain name - The complete domain name for a specific computer or host.>[:<port>].

FQDNClosedFully-qualified domain name - The complete domain name for a specific computer or host. - mandatory
Default port: 636.
no
LDAPClosedLightweight Directory Access Protocol search base

The starting point for user search in the directory tree.

Default: the root of the directory. no
LDAPClosedLightweight Directory Access Protocol custom filter for user search

The username-search filter.

 

When connecting to the OpenLDAP server, set it to
'(&(objectClass=posixAccount)(uid=$UKC_USER))'

Default:
'(&(?objectClass=user)(?sAMAccountName=myid)'
no
LDAPClosedLightweight Directory Access Protocol CORE distinguished name (DNClosedDistinguished name - user's full name with a list of attributes that distiguish it from the other users with the same name)

The distinguished name (DNClosedDistinguished name - user's full name with a list of attributes that distiguish it from the other users with the same name) of the CORE Attendant in the LDAPClosedLightweight Directory Access Protocol Provider.
See Preparing the LDAP Provider.

Mandatory
no
LDAPClosedLightweight Directory Access Protocol CORE DNClosedDistinguished name - user's full name with a list of attributes that distiguish it from the other users with the same name's password The password of the CORE Attendant in the LDAPClosedLightweight Directory Access Protocol Provider. Mandatory
no

Credentials of the LDAP Attendant

Overview of the Authentication

Verification of user credentials by the

LDAPClosedLightweight Directory Access Protocol Provider is implemented using the following LDAPClosedLightweight Directory Access Protocol procedure:

  • The verifier (in our case, the EP server) logins to the directory on behalf of the user (using LDAPClosedLightweight Directory Access Protocol bind).
  • The verifier immediately unbinds (logs out) the user from the directory.
  • The EP uses the outcome of the login attempt to decide whether to accept the user or decline it.

The Role of LDAP Attendant

An LDAPClosedLightweight Directory Access Protocol user can bind to the directory if the user provides its distinguished name (DNClosedDistinguished name - user's full name with a list of attributes that distiguish it from the other users with the same name) and its password. A DNClosedDistinguished name - user's full name with a list of attributes that distiguish it from the other users with the same name is a list containing the user's (full) name and attributes that distinguish this user from other users with the same name. For example, “uid=John Doe Jr., ou=Organization, dc=department”.

To free the user from the burden of providing its complete DNClosedDistinguished name - user's full name with a list of attributes that distiguish it from the other users with the same name, CORE gets a helping hand from the LDAPClosedLightweight Directory Access Protocol Attendant. The Attendant has permission to search the directory starting from the ldap_search_base.

To obtain the user's DNClosedDistinguished name - user's full name with a list of attributes that distiguish it from the other users with the same name, the Attendant performs the following steps:

  1. It logs in (binds) to the directory using its complete DNClosedDistinguished name - user's full name with a list of attributes that distiguish it from the other users with the same name and password defined by the Set ldap-ca-certificate ldap-bind-dn and ldap-bind-dn-password.
  2. It uses permission to search the directory for DNs that contain the provided CORE username. For example, John Doe Jr. in the above example.
  3. The DNClosedDistinguished name - user's full name with a list of attributes that distiguish it from the other users with the same name is obtained.
  4. The Attendant unbinds from the directory

To bind to the directory, EP uses the retrieved user's DNClosedDistinguished name - user's full name with a list of attributes that distiguish it from the other users with the same name and the earlier provided password.

Example of Settings

Set ldap-provider-url

This setting accepts a space-separated list of LDAPClosedLightweight Directory Access Protocol Provider URLs:

ucl system-settings set

-k ldap-provider-url

-v "ldaps://<FQDN1>:[<port1>] [ ldaps://<FQDN2>:[<port2>]]"

The default port is 636. For example,

ucl system-settings set -k ldap-provider-url

-v "ldaps://provider.local.1 ldaps://provider.local.2:636"

Use the quotation marks "" to enclose the list of LDAPClosedLightweight Directory Access Protocol URLs.

Starting with Java version 8.181, you must specify the FQDNClosedFully-qualified domain name - The complete domain name for a specific computer or host. of the LDAPClosedLightweight Directory Access Protocol DSP.

As needed, add the FQDNClosedFully-qualified domain name - The complete domain name for a specific computer or host. to the hosts file.

For example, instead of specifying ldaps://192.168.0.12:663,

use ldaps://full.name:636 and

add /192.168.0.12 full.name to the /etc/hosts file.

Set ldap-ca-certificate

To set the LDAPClosedLightweight Directory Access Protocol Provider trust certificate, assign to the ldap-ca-certificate the content of the certificate file:

ucl system-settings set -k ldap-ca-certificate -v <path to the LDAP Provider trust certificate file>

Important
The LDAPClosedLightweight Directory Access Protocol Provider trust certificate must be in the X.509 DERClosedBinary file, serialized ASN.1 structure Encoded Binary format (also known as a binary .cer file).

The system stores the content of the file (not its path) after confirming that it has a valid format. Therefore, once assigned, the file may be deleted as shown below.

Example:

ucl system-settings set -k ldap-ca-certificate -v /home/ubuntu/ldap/ldap-trust.cer

rm /home/ubuntu/ldap/ldap-trust.cer

The ucl system-settings get commands presents the content of the certificate:

ucl system-settings get -k ldap-ca-certificate

x-DY_LDAP_CA_CERTIFICATE: Certificate:
Data:
Version: 3 (0x2)
Serial Number:
30:77:bd:01:12:42:fb:b1:4f:23:e7:34:cc:39:ab:64
Signature Algorithm: sha256WithRSAEncryption
Issuer //truncated
Validity //truncated
Subject //truncated
......
// truncated