Enterprise Knowledge Platform 5.6

Enterprise Knowledge Platform 5.6

Document Information

Document ID: EN151

Document title: EKP LDAP Authentication Integration Configuration Guide Version: 1.2

Document date: 15 April 2009

This document may be revised from time to time. Please check NetDimensions Support site at www.netdimensions.com/support for updates to this and other documents or send an e-mail to [email protected] to request the most recent version.

Please report any errors or feedback with this document by sending an e-mail to [email protected].

Copyright Information

Copyright 2000-2009 by NetDimensions Ltd. All Rights Reserved.

Information in this document is subject to change without notice. The software described herein is furnished under a license agreement, and it may be copied only in accordance with the terms of that agreement. No part of this publication may be reproduced, transmitted, or translated in any form or by any means without the prior written permission of NetDimensions Ltd.

All company and product names used herein may be trademarks or registered trademarks of their respective companies unless stated otherwise.

How to Contact NetDimensions Support

+852 2122 4588 1 866 206 6698 US toll-free number +852 2122 4588 [email protected] www.netdimensions.com/support

General Enquiries

+852 2122 4500 +852 2122 4588 [email protected] www.netdimensions.com

Table of Contents

Description ...1

About This Guide ... 1

If You Need Help ... 1

EKP Configuration ...2

Troubleshooting ...4

Additional Resources ...9

Lightweight Directory Access Protocol Version 3 ... 9

Description

About This Guide

This document describes the steps required in configuring EKP to use Lightweight Directory Access Protocol (LDAP) to perform user authentication.

EKP has a built-in login adapter that integrates with the LDAP server to perform user login

authentication. It is implemented by using the Netscape Directory SDK 4.1 that supports both LDAP version 2 and version 3.

If You Need Help

If you cannot resolve a configuration problem using this guide or the online help, or if you should have any queries related to the technology employed within EKP, your first line of contact should be as described in your Technical Support Contract.

For other queries, or if you are not sure whom to contact, NetDimensions Ltd. may be contacted at [email protected]. Please also refer to the support section of the NetDimensions web site at www.netdimensions.com for the latest information regarding various services.

2

EKP Configuration

1. Enable the LDAP interface in EKP by editing the ekp.properties which is located in the <web-apps>/ekp/WEB-INF/conf folder. See the following example,

default.LDAP_Dir=o=netdimensions.com default.LDAP_HOST1=corp-ldap1 default.LDAP_PORT1=389 default.LDAP_HOST2=corp-ldap2 default.LDAP_PORT2=389 default.LDAP_HOST3=corp-ldap3 default.LDAP_PORT3=389 default.LDAP_TIMEOUT=300

default.LDAP_Dir (mandatory) Defines the base distinguished name from

which it starts the search

default.LDAP_HOST1 (mandatory) Defines the primary LDAP server (enter

hostname or IP address)

default.LDAP_PORT1 (mandatory) Define the port number of the LDAP server

default.LDAP_HOST2 (mandatory) Defines the second backup LDAP server (enter

hostname or IP address)

default.LDAP_PORT2 (mandatory) Define the port number of the second backup

LDAP server

default.LDAP_HOST3 (mandatory) Defines the third backup LDAP server (enter

hostname or IP address)

default.LDAP_PORT3 (mandatory) Define the port number of the third backup

LDAP server

default.LDAP_TIMEOUT (mandatory) Specifies the timeout period in seconds before switching to use the next backup LDAP server. default.LDAP_FILTER (optional) Additional search filter to locate a user entry.

(Note: default is search by uid only)

2. Configure the users to use external authentication

Logon EKP as administrator, go to Manage > User Manager > User Editor.

Set External Authentication to Yes for users who want to use LDAP authentication. Note

Note

In order to do the above, the users have to be created in EKP beforehand and the User ID has to match with the uid in the LDAP. Users with External Authentication set to No will be using default

4

Troubleshooting LDAP Authentication

Configure EKP.PROPERTIES

default.LDAP_Dir Defines the base distinguished name from which it starts the search – must match the domain components specified in the DN string.

default.LDAP_Dir=dc=netdimensions,dc=com

default.LDAP_HOST# Defines the LDAP server. Can be hostname, IP or DNS name default.LDAP_HOST1=win2003-svr would be win2003-svr with the domain name Netdimensions.com

default.LDAP_HOST1=192.168.99.10

ldap.activeDirectoryDN specifies the name of the user for initial EKP binding to the AD, so that directory searches can be done later.

The DN Distinguished Name string will be determined by how your LDAP is configured.

You can use ADSI Edit on your AD servers to view the format of the DN value assigned to this user ekp – so you would need to specify the same parameters.

ldap.activeDirectoryDN=cn=ekp,cn=users,dc=netdimensions,dc=com

In larger organizations It could be be more complex with multiple OUs for Organizational Units ldap.activeDirectoryDN=CN=ekp,OU=IT,OU=Users,OU=HongKong,DC=hongkong,DC=netdimension, DC=com

ldap.activeDirectoryPassword specifies the password of the user

Note: ekp is the name of the user created in the previous section and ekp_password is the password of user ekp.

default.LDAP_Dir=DC=hongkong,DC=netdimensions,DC=com default.LDAP_HOST1=192.168.99.10 default.LDAP_PORT1=389 default.LDAP_HOST2=192.168.99.12 default.LDAP_PORT2=389 default.LDAP_HOST3=192.168.69.91 default.LDAP_PORT3=389 default.LDAP_TIMEOUT=300

# Define the active directory DN and password for initial binding.

ldap.activeDirectoryDN=CN=ekp,OU=IT,OU=Users,OU=Hongkong,DC=hongkong,DC=netdimensions, DC=com

Using LDAP Tools To Query Your LDAP Servers

Ensure you are able to connect to your LDAP servers on your specified port by telneting to it. telnet 192.168.99.10 389 - should open a connection – if it does not then its likley the firewall is preventing you from doing so. Add rule between your server & the LDAP server for that port and try again.

You can verify that your LDAP parameters are correct by using LDAP tools to query your LDAP servers with your parameters & password.

ldp.exe from http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm

Install on your ekp server and use your parameters to check if you can communicate with your listed LDAP servers.

LDP.EXE to "192.168.99.10", 389 – binding to user ekp with password ekp_password DN=CN=ekp,OU=IT,OU=Users,OU=HongKong,DC=hongkong,DC=netdimension,DC=com Sample Output of Successful Query & Binding of User ekp to "192.168.99.10", 389 ld = ldap_open("192.168.99.10", 389);

Established connection to 192.168.99.10. Retrieving base DSA information... Result <0>: (null)

Matched DNs: Getting 1 entries: >> Dn:

1> currentTime: 08/12/2009 11:50:21 Central Standard Time Central Daylight Time;

1> subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=netdimensions,DC=com; 1> dsServiceName: CN=NTDS Settings,CN=NTDCHONGKONG1,CN=Servers,CN=HongKong,CN=Sites,CN=Configuration,DC=netdim ensions,DC=com; 3> namingContexts: CN=Configuration,DC=netdimensions,DC=com; CN=Schema,CN=Configuration,DC=netdimensions,DC=com; DC=hongkong,DC=netdimensions,DC=com; ……… 23> supportedControl………. ……….. 2> supportedLDAPVersion: 3; 2;

12> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize;

MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MaxNotificationPerConn; MaxValRange;

……….

6 1> ldapServiceName: netdimensions.com:[email protected]; 1> serverName: CN=NTDCHONGKONG1,CN=Servers,CN=HongKong,CN=Sites,CN=Configuration,DC=netdimensions, DC=com; 3> supportedCapabilities: 1.2.840.113556.1.4.800; 1.2.840.113556.1.4.1670; 1.2.840.113556.1.4.1791; 1> isSynchronized: TRUE; 1> isGlobalCatalogReady: TRUE; 1> domainFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 ); 1> forestFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 ); 1> domainControllerFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 ); ---

res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3 {NtAuthIdentity: User='ekp'; Pwd= <unavailable>; domain =

'DN=CN=ekp,OU=IT,OU=Users,OU=HongKong,DC=hongkong,DC=netdimensions,DC=com'.} Authenticated as dn:'ekp'.

This confirms that the parameters for that particular LDAP server 192.168.99.10 will work and you can do same test for each of your LDAP servers.

If the query to the LDAP servers fail, check your parameters and check you have enabled your firewall to communicate on the specified ports.

LDP.EXE returns same Error<0x51>: Fail to connect message when I query the wrong server or wrong port.

ld = ldap_open("192.168.99.99", 389);

Error <0x51>: Fail to connect to 192.168.99.99. ld = ldap_open("192.168.99.10", 355);

Error <0x51>: Fail to connect to 192.168.99.10.

If you get initial LDAP query info but then “Error <49>: ldap_bind_s() failed: Invalid Credentials.” it means the LDAP Server parameters were successful but the bind to user and/or password failed.

res = ldap_simple_bind_s(ld, 'ekp', <unavailable>); // v.3 Authenticated as dn:'ekp'.

res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3 {NtAuthIdentity: User='ekp'; Pwd= <unavailable>; domain =

'DN=CN=ekp,OU=IT,OU=Users,OU=HongKong,DC=HongKong,DC=netdimensions,DC=com'.} Error <49>: ldap_bind_s() failed: Invalid Credentials.

Server error: 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece

Once you have verified your LDAP connection and parameters with successful authentication using LDAP tools you can proceed to attempt log in on your ekp server.

On the ekp site logging in with user ekp and check the ekp.log for any errors. You should have ekp set up in debug mode.

Sample EKP.LOG - user ekp logs in after successful authentication with LDAP server 2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.connect): Connecting to LDAP server at 192.168.99.10:389

2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.connect): Connected OK 2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): Authenticating to LDAP server as: 'CN=ekp,OU=IT,OU=Users,OU=HongKong,DC=HongKong,DC=netdimensions,DC=com'; password: '*********'

2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): Authenticated OK 2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): about to search Active Directory server for user: 'ekp'

2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): base: 'dc=HongKong,DC=netdimensions,DC=com'

2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): filter: '(&(|(objectClass=user)(objectClass=person))(|(cn=ekp)(samAccountName=ekp)))' 2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): Search returned normally with 2 results

2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): results.hasMoreElements: true

2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticateEntry): LDAP DN(basic): CN=ekp,OU=IT,OU=Users,OU=HongKong,DC=HongKong,DC=netdimensions,DC=com

2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.connect): Connecting to LDAP server at 192.168.99.10:389

2009/Aug/12 23:04:41

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.connect): Connected OK 2009/Aug/12 23:04:42

Severity(DEBUG) Source(com.netdimen.jdbc.core.JdbcTemplate.logSql): executing sql [SELECT * FROM userstats WHERE userid = ?] for arguments ('ekp')

2009/Aug/12 23:04:42

Severity(DEBUG) Source(com.netdimen.jdbc.core.JdbcTemplate.logSql): executing sql [SELECT COUNT(*) FROM messages WHERE readindicator = 'N' AND userid = ?] for arguments ('ekp')

8 EKP.LOG showing LDAP Authentication Failed – Use LDAP tools to verify your parameters. 2009/Aug/12 09:23:16

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.connect): Connecting to LDAP server at 192.168.99.10:389

2009/Aug/12 09:23:16

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.connect): Connected OK 2009/Aug/12 09:23:16

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): Authenticating to LDAP server as: 'CN=ekp,OU=IT,OU=Users,OU=HongKong,DC=HongKong,DC=netdimensions,DC=com'; password: '*********'

2009/Aug/12 09:23:17

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): Authenticated OK 2009/Aug/12 09:23:17

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): about to search Active Directory server for user: 'ekp'

2009/Aug/12 09:23:17

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): base: 'dc=HongKong.netdimensions.com'

2009/Aug/12 09:23:17

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): filter: '(&(|(objectClass=user)(objectClass=person))(|(cn=ekp)(samAccountName=ekp)))' 2009/Aug/12 09:23:17

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): Search returned normally with 1 results

2009/Aug/12 09:23:17

Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): results.hasMoreElements: true

2009/Aug/12 09:23:17

Severity(DEBUG) Source(com.netdimen.auth.login.LDAPLoginAdapter.authenticate): LDAP server 1 authentication failed

com.netdimen.auth.login.GeneralAuthenticationException

at com.netdimen.ldap.LdapServer.authenticate(LdapServer.java:255)

Additional Resources

See the following resources for further information:

Lightweight Directory Access Protocol Version 3

The IETF LDAPv3 Working Group:

http://www.ietf.org/html.charters/ldapbis-charter.html

The LDAPv3 Working Group archived newsgroup:

http://www.openldap.org/lists/ietf-ldapbis/

RFC 3377, the current definition of LDAPv3:

ftp://ftp.rfc-editor.org/in-notes/rfc3377.txt

Open Group and the Directory Interoperability Forum

The Open Group’s VSLDAP compliance testing suite overview:

http://www.opengroup.org/directory/mats/ldap2000/dsvsldap.pdf

The Directory Interoperability Forum (DIF):