Enterprise Knowledge Platform

Enterprise Knowledge Platform

2

Document Information

Document ID: EN143

Document title: EKP Active Directory Authentication Integration Configuration Guide Version: 1.2

Document date: 17 August 2009

This document may be revised from time to time. Please check NetDimensions Support site at www.netdimensions.com/support for updates to this and other documents or send an e-mail to [email protected] to request the most recent version.

Please report any errors or feedback with this document by sending an e-mail to [email protected].

Copyright Information

Copyright  2000-2004 by NetDimensions Ltd. All Rights Reserved.

Information in this document is subject to change without notice. The software described herein is furnished under a license agreement, and it may be copied only in accordance with the terms of that agreement. No part of this publication may be reproduced, transmitted, or translated in any form or by any means without the prior written permission of NetDimensions Ltd.

All company and product names used herein may be trademarks or registered trademarks of their respective companies unless stated otherwise.

How to Contact NetDimensions Support

+852 2122 4588 1 866 206 6698 US toll-free number +852 2122 4588 [email protected] www.netdimensions.com/support

General Enquiries

Table of Contents

INTRODUCTION ...1

CONFIGURE ACTIVE DIRECTORY...1

CONFIGURE EKP ...3

TROUBLESHOOTING LDAP AUTHENTICATION...5

ADDITIONAL RESOURCES ... 10

LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL VERSION 3 ... 10

OPEN GROUP AND THE DIRECTORY INTEROPERABILITY FORUM ... 10

1

Introduction

This document describes the steps required in configuring EKP to use Active Directory (AD) to perform user authentication.

The AD service in the Windows 2000 and 2003 server provides native LDAP support and it enables other application to use this service through the LDAP interface. EKP has a built-in login adapter that integrates with the AD to perform user login authentication.

Note: The following example is based on the Windows 2003 environment.

Configure Active Directory

A new user has to be created for EKP to do the initial binding to the directory service so that it is authorized to search the directory.

1. Go to Administrative Tools > Active Directory Users and Computers, Create a new user “ekp” by selecting Action > New > User and enter the name of the user.

2. Enter password for the user and set the options as the following diagram and click

Next.

3 Configure EKP

1. Enable the LDAP interface in EKP by editing the ekp.properties which is located in the <web-apps>/ekp/WEB-INF/conf folder. See the following example,

default.LDAP_Dir=dc=netdimensions,dc=local default.LDAP_HOST1=win2003-svr default.LDAP_POST1=389 default.LDAP_HOST2=win2003-svr default.LDAP_POST2=389 default.LDAP_HOST3=win2003-svr default.LDAP_POST3=389 default.LDAP_TIMEOUT=300

The above example defines the AD (LDAPserver) win2003-svr with the domain name

Netdimensions.local.

LDAP_Dir defines the distinguished name of the node it is connected to the AD.

LDAP_HOST2 and LDAP_HOST3 are used to define backup AD servers. EKP is able to use

multiple authentication servers in a daisy-chain fashion. If the first server does not respond to an authentication request, the second is tried, and so on. If your environment does not use backup AD server(s), use the same host as the primary, as in the above example.

LDAP_TIMEOUT specifies the timeout period in seconds before switching to use the next

backup AD server.

2. Specifies the initial binding user information for the AD. Edit the ekp.properties and add the following.

ldap.activeDirectoryDN=cn=ekp,cn=users,dc=netdimensions,dc=local ldap.activeDirectoryPassword=ekp_password

ldap.activeDirectoryDN specifies the name of the user for initial EKP binding to the AD, so

that directory searches can be done later.

ldap.activeDirectoryPassword specifies the password of the user

Note: ekp is the name of the user created in the previous section and ekp_password is the

password of user ekp.

3. Configure the users to use external authentication

Logon EKP as administrator, go to Manage > User Manager > User Editor. Set External Authentication to Yes for users who want to use AD authentication.

Note: In order to do the above, the users have to be loaded into EKP beforehand and the User ID has to match with the user name in the AD. Users with External Authentication set

to No will be using default internal authentication, which means that their password is stored in EKP and at login their userid/password is checked against this entry instead of authenticated against the AD.

5

Troubleshooting LDAP Authentication

Configure EKP.PROPERTIES

default.LDAP_Dir Defines the base distinguished name from which it starts the search – must

match the domain components specified in the DN string. default.LDAP_Dir=dc=netdimensions,dc=com

default.LDAP_HOST# Defines the LDAP server. Can be hostname, IP or DNS name

default.LDAP_HOST1=win2003-svr would be win2003-svr with the domain name

Netdimensions.com

default.LDAP_HOST1=192.168.99.10

ldap.activeDirectoryDN specifies the name of the user for initial EKP binding to the AD, so that

directory searches can be done later.

The DN Distinguished Name string will be determined by how your LDAP is configured. You can use ADSI Edit on your AD servers to view the format of the DN value assigned to this user ekp – so you would need to specify the same parameters.

ldap.activeDirectoryDN=cn=ekp,cn=users,dc=netdimensions,dc=com

In larger organizations It could be be more complex with multiple OUs for Organizational Units ldap.activeDirectoryDN=CN=ekp,OU=IT,OU=Users,OU=HongKong,DC=hongkong,DC=netdimensi on,DC=com

ldap.activeDirectoryPassword specifies the password of the user

Note: ekp is the name of the user created in the previous section and ekp_password is the

password of user ekp.

default.LDAP_Dir=DC=hongkong,DC=netdimensions,DC=com default.LDAP_HOST1=192.168.99.10 default.LDAP_PORT1=389 default.LDAP_HOST2=192.168.99.12 default.LDAP_PORT2=389 default.LDAP_HOST3=192.168.69.91 default.LDAP_PORT3=389 default.LDAP_TIMEOUT=300

# Define the active directory DN and password for initial binding.

ldap.activeDirectoryDN=CN=ekp,OU=IT,OU=Users,OU=Hongkong,DC=hongkong,DC=netdimensi ons,DC=com

Using LDAP Tools To Query Your LDAP Servers

Ensure you are able to connect to your LDAP servers on your specified port by telneting to it. telnet 192.168.99.10 389 - should open a connection – if it does not then its likley the firewall is preventing you from doing so. Add rule between your server & the LDAP server for that port and try again.

You can verify that your LDAP parameters are correct by using LDAP tools to query your LDAP servers with your parameters & password.

ldp.exe from http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm

Install on your ekp server and use your parameters to check if you can communicate with your listed LDAP servers.

LDP.EXE to "192.168.99.10", 389 – binding to user ekp with password ekp_password DN=CN=ekp,OU=IT,OU=Users,OU=HongKong,DC=hongkong,DC=netdimension,DC=com

Sample Output of Successful Query & Binding of User ekp to "192.168.99.10", 389

ld = ldap_open("192.168.99.10", 389); Established connection to 192.168.99.10. Retrieving base DSA information... Result <0>: (null)

Matched DNs: Getting 1 entries: >> Dn:

1> currentTime: 08/12/2009 11:50:21 Central Standard Time Central Daylight Time; 1> subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=netdimensions,DC=com; 1> dsServiceName: CN=NTDS Settings,CN=NTDCHONGKONG1,CN=Servers,CN=HongKong,CN=Sites,CN=Configuration,DC=netd imensions,DC=com; 3> namingContexts: CN=Configuration,DC=netdimensions,DC=com; CN=Schema,CN=Configuration,DC=netdimensions,DC=com; DC=hongkong,DC=netdimensions,DC=com; ……… 23> supportedControl………. ……….. 2> supportedLDAPVersion: 3; 2;

12> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize;

MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MaxNotificationPerConn; MaxValRange;

……….

7 1> ldapServiceName: netdimensions.com:[email protected]; 1> serverName: CN=NTDCHONGKONG1,CN=Servers,CN=HongKong,CN=Sites,CN=Configuration,DC=netdimensio ns,DC=com; 3> supportedCapabilities: 1.2.840.113556.1.4.800; 1.2.840.113556.1.4.1670; 1.2.840.113556.1.4.1791; 1> isSynchronized: TRUE; 1> isGlobalCatalogReady: TRUE; 1> domainFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 ); 1> forestFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 ); 1> domainControllerFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 ); ---

res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3 {NtAuthIdentity: User='ekp'; Pwd= <unavailable>; domain =

'DN=CN=ekp,OU=IT,OU=Users,OU=HongKong,DC=hongkong,DC=netdimensions,DC=com'.} Authenticated as dn:'ekp'.

This confirms that the parameters for that particular LDAP server 192.168.99.10 will work and you can do same test for each of your LDAP servers.

If the query to the LDAP servers fail, check your parameters and check you have enabled your firewall to communicate on the specified ports.

LDP.EXE returns same Error<0x51>: Fail to connect message when I query the wrong server or wrong port.

ld = ldap_open("192.168.99.99", 389);

Error <0x51>: Fail to connect to 192.168.99.99. ld = ldap_open("192.168.99.10", 355);

Error <0x51>: Fail to connect to 192.168.99.10.

If you get initial LDAP query info but then “Error <49>: ldap_bind_s() failed: Invalid

Credentials.” it means the LDAP Server parameters were successful but the bind to user and/or password failed.

res = ldap_simple_bind_s(ld, 'ekp', <unavailable>); // v.3 Authenticated as dn:'ekp'.

res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3 {NtAuthIdentity: User='ekp'; Pwd= <unavailable>; domain =

'DN=CN=ekp,OU=IT,OU=Users,OU=HongKong,DC=HongKong,DC=netdimensions,DC=com'.} Error <49>: ldap_bind_s() failed: Invalid Credentials.

Server error: 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece

Once you have verified your LDAP connection and parameters with successful authentication using LDAP tools you can proceed to attempt log in on your ekp server.

On the ekp site logging in with user ekp and check the ekp.log for any errors. You should have ekp set up in debug mode.

Sample EKP.LOG - user ekp logs in after successful authentication with LDAP server

2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.connect): Connecting to LDAP server at 192.168.99.10:389

2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.connect): Connected OK 2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): Authenticating to LDAP server as: 'CN=ekp,OU=IT,OU=Users,OU=HongKong,DC=HongKong,DC=netdimensions,DC=com'; password: '*********'

2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): Authenticated OK 2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): about to search Active Directory server for user: 'ekp'

2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): base: 'dc=HongKong,DC=netdimensions,DC=com'

2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): filter: '(&(|(objectClass=user)(objectClass=person))(|(cn=ekp)(samAccountName=ekp)))' 2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): Search returned normally with 2 results

2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): results.hasMoreElement s: true

2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticateEntry): LDAP DN(basic): CN=ekp,OU=IT,OU=Users,OU=HongKong,DC=HongKong,DC=netdimensions,DC=com

2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.connect): Connecting to LDAP server at 192.168.99.10:389

2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.connect): Connected OK 2009/Aug/12 23:04:42

Severity(DEBUG) Source(com.netdimen.jdbc.core.JdbcTemplate.logSql): executing sql [SELECT * FROM userstats WHERE userid = ?] for arguments ('ekp')

2009/Aug/12 23:04:42

Severity(DEBUG) Source(com.netdimen.jdbc.core.JdbcTemplate.logSql): executing sql [SELECT COUNT(*) FROM messages WHERE readindicator = 'N' AND userid = ?] for arguments ('ekp')

9

EKP.LOG showing LDAP Authentication Failed – Use LDAP tools to verify your parameters.

2009/Aug/12 09:23:16

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.connect): Connecting to LDAP server at 192.168.99.10:389

2009/Aug/12 09:23:16

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.connect): Connected OK 2009/Aug/12 09:23:16

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): Authenticating to LDAP server as: 'CN=ekp,OU=IT,OU=Users,OU=HongKong,DC=HongKong,DC=netdimensions,DC=com'; password: '*********'

2009/Aug/12 09:23:17

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): Authenticated OK 2009/Aug/12 09:23:17

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): about to search Active Directory server for user: 'ekp'

2009/Aug/12 09:23:17

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): base: 'dc=HongKong.netdimensions.com'

2009/Aug/12 09:23:17

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): filter: '(&(|(objectClass=user)(objectClass=person))(|(cn=ekp)(samAccountName=ekp)))' 2009/Aug/12 09:23:17

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): Search returned normally with 1 results

2009/Aug/12 09:23:17

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): results.hasMoreElement s: true

2009/Aug/12 09:23:17

Severity(DEBUG) Source(com.netdimen.auth.login.LDAPLoginAdapter.authenticate): LDAP server 1 authentication failed

com.netdimen.auth.login.GeneralAuthenticationException

at com.netdimen.ldap.LdapServer.authenticate(LdapServer.java:255)

Additional Resources

See the following resources for further information:

Lightweight Directory Access Protocol Version 3

http://www.ietf.org/html.charters/ldapbis-charter.html

The LDAPv3 Working Group archived newsgroup:

http://www.openldap.org/lists/ietf-ldapbis/

RFC 3377, the current definition of LDAPv3:

ftp://ftp.rfc-editor.org/in-notes/rfc3377.txt

Open Group and the Directory Interoperability Forum

http://www.opengroup.org/directory/mats/ldap2000/dsvsldap.pdf

The Directory Interoperability Forum (DIF):

http://www.opengroup.org/directory/

Miscellaneous

The Microsoft Active Directory Web site:

http://www.microsoft.com/ad

Active Directory Application Mode (ADAM):

http://www.microsoft.com/windowsserver2003/adam/default.mspx

Directory Services Markup Language (DSML):

http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/dsml.asp

Microsoft Identity Integration Server 2003, Enterprise Edition:

http://www.microsoft.com/windowsserver2003/technologies/directory/miis/default.ms

px

The Microsoft Windows 2000 inetOrgPerson Kit:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnactdir/html/inetopkit.asp LDAP reference for developers on MSDN:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ldap/ldap_reference.asp LDAP API reference for developers on MSDN:

11 For the latest information about Windows Server 2003, see the Windows Server 2003 Web site at http://www.microsoft.com/windowsserver2003.