Enterprise Knowledge Platform



Similar documents
Enterprise Knowledge Platform 5.6

CYAN SECURE WEB HOWTO. NTLM Authentication

Configuring User Identification via Active Directory

HP Device Manager 4.7

Enterprise Knowledge Platform

Sample Configuration: Cisco UCS, LDAP and Active Directory

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

Active Directory LDAP Quota and Admin account authentication and management

InfoRouter LDAP Authentication Web Service documentation for inforouter Versions 7.5.x & 8.x

How To Search For An Active Directory On Goprint Ggprint Goprint.Org (Geoprint) (Georgos4) (Goprint) And Gopprint.Org Gop Print.Org

Windows.NET Server 2003 Domains & Active Directory

eprism Enterprise Tech Notes

HP Device Manager 4.6

Configuring and Using the TMM with LDAP / Active Directory

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

Using RADIUS Agent for Transparent User Identification

VMware vcenter Discovered Machines Import Tool User's Guide Version for vcenter Configuration Manager 5.3

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

Section 4 Application Description - LDAP

This presentation explains how to integrate Microsoft Active Directory to enable LDAP authentication in the IBM InfoSphere Master Data Management

How To Use Gfi Mailarchiver On A Pc Or Macbook With Gfi From A Windows 7.5 (Windows 7) On A Microsoft Mail Server On A Gfi Server On An Ipod Or Gfi.Org (

F-Secure Messaging Security Gateway. Deployment Guide

Active Directory Diagnostic Tool

Integrating LANGuardian with Active Directory

Importing data from Linux LDAP server to HA3969U

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

Installation and Configuration Guide

Active Directory Integration

NSi Mobile Installation Guide. Version 6.2

Configuring Sponsor Authentication

Summary. How-To: Active Directory Integration. April, 2006

WHMCS LUXCLOUD MODULE

MIGRATING TO AVALANCHE 5.0 WITH MS SQL SERVER

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

Troubleshooting Active Directory Server

Using LDAP Authentication in a PowerCenter Domain

LDAP User Guide PowerSchool Premier 5.1 Student Information System

How To Use Libap With A Libap Server With A Mft Command Center And Internet Server

User Service and Directory Agent: Configuration Best Practices and Troubleshooting

Quick Start Guide for Parallels Virtuozzo

Installation Notes for Outpost Network Security (ONS) version 3.2

Step-by-Step Guide to Setup Instant Messaging (IM) Workspace Datasheet

CA Spectrum and CA Embedded Entitlements Manager

Active Directory Authentication Integration

HYPERION SYSTEM 9 N-TIER INSTALLATION GUIDE MASTER DATA MANAGEMENT RELEASE 9.2

PineApp Surf-SeCure Quick

Setup and configuration for Intelicode. SQL Server Express

BlackShield ID Agent for Remote Web Workplace

Quick Start Guide for VMware and Windows 7

Aradial Installation Guide

Owner of the content within this article is Written by Marc Grote

Technical Brief for Windows Home Server Remote Access

Microsoft Active Directory Authentication with SonicOS 3.0 Enhanced and SonicOS SC 1.0 (CSM 2100CF)

Integration Guide. SafeNet Authentication Service. Integrating Active Directory Lightweight Services

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

Management Reporter Integration Guide for Microsoft Dynamics GP

Simple Scan to Setup Guide

RSA SecurID Ready Implementation Guide

Creating IBM Cognos Controller Databases using Microsoft SQL Server

Upgrade Guide BES12. Version 12.1

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Skyward LDAP Launch Kit Table of Contents

Configuring IBM Cognos Controller 8 to use Single Sign- On

V Series Rapid Deployment Version 7.5

Authentication Methods

M86 Authenticator USER GUIDE. Software Version: Document Version:

Smart Card Authentication Client. Administrator's Guide

Using the vcenter Orchestrator Plug-In for Microsoft Active Directory

Version 3.8. Installation Guide

Installation Steps for PAN User-ID Agent

EMR Link Server Interface Installation

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

LDaemon. This document is provided as a step by step procedure for setting up LDaemon and common LDaemon clients.

Immotec Systems, Inc. SQL Server 2005 Installation Document

LDAP Directory Integration with Cisco Unity Connection

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

Use Enterprise SSO as the Credential Server for Protected Sites

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Configuring MailArchiva with Insight Server

How to Implement the X.509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On

OCS Training Workshop LAB14. Setup

Setting up Hyper-V for 2X VirtualDesktopServer Manual

Management Reporter Integration Guide for Microsoft Dynamics AX

LDAP Operation Guide

Enabling single sign-on for Cognos 8/10 with Active Directory

Quality Center LDAP Guide

TypingMaster Intra. LDAP / Active Directory Installation. Technical White Paper (2009-9)

Update and Installation Guide for Microsoft Management Reporter 2.0 Feature Pack 1

How to integrate hp OpenView Service Desk with Microsoft Active Directory

Transparent Identification of Users

Deploying ModusGate with Exchange Server. (Version 4.0+)

Getting Started with Clearlogin A Guide for Administrators V1.01

Step-by-Step Guide for Microsoft Advanced Group Policy Management 4.0

Veeam Backup Enterprise Manager. Version 7.0

qliqdirect Active Directory Guide

CA Unified Infrastructure Management Server

Transcription:

Enterprise Knowledge Platform Active Directory Authentication Integration Configuration Guide 1

Document Information Document ID: EN143 Document title: EKP Active Directory Authentication Integration Configuration Guide Version: 1.2 Document date: 17 August 2009 This document may be revised from time to time. Please check NetDimensions Support site at www.netdimensions.com/support for updates to this and other documents or send an e-mail to support@netdimensions.com to request the most recent version. Please report any errors or feedback with this document by sending an e-mail to support@netdimensions.com. Copyright Information Copyright 2000-2004 by NetDimensions Ltd. All Rights Reserved. Information in this document is subject to change without notice. The software described herein is furnished under a license agreement, and it may be copied only in accordance with the terms of that agreement. No part of this publication may be reproduced, transmitted, or translated in any form or by any means without the prior written permission of NetDimensions Ltd. All company and product names used herein may be trademarks or registered trademarks of their respective companies unless stated otherwise. How to Contact NetDimensions Support +852 2122 4588 1 866 206 6698 US toll-free number +852 2122 4588 support@netdimensions.com www.netdimensions.com/support General Enquiries +852 2122 4500 +852 2122 4588 info@netdimensions.com www.netdimensions.com 2

Table of Contents INTRODUCTION...1 CONFIGURE ACTIVE DIRECTORY...1 CONFIGURE EKP...3 TROUBLESHOOTING LDAP AUTHENTICATION...5 ADDITIONAL RESOURCES... 10 LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL VERSION 3... 10 OPEN GROUP AND THE DIRECTORY INTEROPERABILITY FORUM... 10 MISCELLANEOUS... 10 3

Introduction This document describes the steps required in configuring EKP to use Active Directory (AD) to perform user authentication. The AD service in the Windows 2000 and 2003 server provides native LDAP support and it enables other application to use this service through the LDAP interface. EKP has a built-in login adapter that integrates with the AD to perform user login authentication. Note: The following example is based on the Windows 2003 environment. Configure Active Directory A new user has to be created for EKP to do the initial binding to the directory service so that it is authorized to search the directory. 1. Go to Administrative Tools > Active Directory Users and Computers, Create a new user ekp by selecting Action > New > User and enter the name of the user. 1

2. Enter password for the user and set the options as the following diagram and click Next. 3. If the user is created successfully, click Finish to continue. 2

Configure EKP 1. Enable the LDAP interface in EKP by editing the ekp.properties which is located in the <webapps>/ekp/web-inf/conf folder. See the following example, default.ldap_dir=dc=netdimensions,dc=local default.ldap_host1=win2003-svr default.ldap_post1=389 default.ldap_host2=win2003-svr default.ldap_post2=389 default.ldap_host3=win2003-svr default.ldap_post3=389 default.ldap_timeout=300 The above example defines the AD (LDAPserver) win2003-svr with the domain name Netdimensions.local. LDAP_Dir defines the distinguished name of the node it is connected to the AD. LDAP_HOST2 and LDAP_HOST3 are used to define backup AD servers. EKP is able to use multiple authentication servers in a daisy-chain fashion. If the first server does not respond to an authentication request, the second is tried, and so on. If your environment does not use backup AD server(s), use the same host as the primary, as in the above example. LDAP_TIMEOUT specifies the timeout period in seconds before switching to use the next backup AD server. 2. Specifies the initial binding user information for the AD. Edit the ekp.properties and add the following. ldap.activedirectorydn=cn=ekp,cn=users,dc=netdimensions,dc=local ldap.activedirectorypassword=ekp_password ldap.activedirectorydn specifies the name of the user for initial EKP binding to the AD, so that directory searches can be done later. ldap.activedirectorypassword specifies the password of the user Note: ekp is the name of the user created in the previous section and ekp_password is the password of user ekp. 3. Configure the users to use external authentication Logon EKP as administrator, go to Manage > User Manager > User Editor. Set External Authentication to Yes for users who want to use AD authentication. 3

Note: In order to do the above, the users have to be loaded into EKP beforehand and the User ID has to match with the user name in the AD. Users with External Authentication set to No will be using default internal authentication, which means that their password is stored in EKP and at login their userid/password is checked against this entry instead of authenticated against the AD. 4

Troubleshooting LDAP Authentication Configure EKP.PROPERTIES default.ldap_dir Defines the base distinguished name from which it starts the search must match the domain components specified in the DN string. default.ldap_dir=dc=netdimensions,dc=com default.ldap_host# Defines the LDAP server. Can be hostname, IP or DNS name default.ldap_host1=win2003-svr would be win2003-svr with the domain name Netdimensions.com default.ldap_host1=192.168.99.10 ldap.activedirectorydn specifies the name of the user for initial EKP binding to the AD, so that directory searches can be done later. The DN Distinguished Name string will be determined by how your LDAP is configured. You can use ADSI Edit on your AD servers to view the format of the DN value assigned to this user ekp so you would need to specify the same parameters. ldap.activedirectorydn=cn=ekp,cn=users,dc=netdimensions,dc=com In larger organizations It could be be more complex with multiple OUs for Organizational Units ldap.activedirectorydn=cn=ekp,ou=it,ou=users,ou=hongkong,dc=hongkong,dc=netdimensi on,dc=com ldap.activedirectorypassword specifies the password of the user Note: ekp is the name of the user created in the previous section and ekp_password is the password of user ekp. default.ldap_dir=dc=hongkong,dc=netdimensions,dc=com default.ldap_host1=192.168.99.10 default.ldap_port1=389 default.ldap_host2=192.168.99.12 default.ldap_port2=389 default.ldap_host3=192.168.69.91 default.ldap_port3=389 default.ldap_timeout=300 # Define the active directory DN and password for initial binding. ldap.activedirectorydn=cn=ekp,ou=it,ou=users,ou=hongkong,dc=hongkong,dc=netdimensi ons,dc=com ldap.activedirectorypassword= ekp_password 5

Using LDAP Tools To Query Your LDAP Servers Ensure you are able to connect to your LDAP servers on your specified port by telneting to it. telnet 192.168.99.10 389 - should open a connection if it does not then its likley the firewall is preventing you from doing so. Add rule between your server & the LDAP server for that port and try again. You can verify that your LDAP parameters are correct by using LDAP tools to query your LDAP servers with your parameters & password. ldp.exe from http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm Install on your ekp server and use your parameters to check if you can communicate with your listed LDAP servers. LDP.EXE to "192.168.99.10", 389 binding to user ekp with password ekp_password DN=CN=ekp,OU=IT,OU=Users,OU=HongKong,DC=hongkong,DC=netdimension,DC=com Sample Output of Successful Query & Binding of User ekp to "192.168.99.10", 389 ld = ldap_open("192.168.99.10", 389); Established connection to 192.168.99.10. Retrieving base DSA information... Result <0>: (null) Matched DNs: Getting 1 entries: >> Dn: 1> currenttime: 08/12/2009 11:50:21 Central Standard Time Central Daylight Time; 1> subschemasubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=netdimensions,DC=com; 1> dsservicename: CN=NTDS Settings,CN=NTDCHONGKONG1,CN=Servers,CN=HongKong,CN=Sites,CN=Configuration,DC=netd imensions,dc=com; 3> namingcontexts: CN=Configuration,DC=netdimensions,DC=com; CN=Schema,CN=Configuration,DC=netdimensions,DC=com; DC=hongkong,DC=netdimensions,DC=com; 23> supportedcontrol... 2> supportedldapversion: 3; 2; 12> supportedldappolicies: MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MaxNotificationPerConn; MaxValRange;. 1> dnshostname: ntdchongkong1.hongkong.netdimensions.com; 6

1> ldapservicename: netdimensions.com:ntdchongkong1$@hongkong.netdimensions.com; 1> servername: CN=NTDCHONGKONG1,CN=Servers,CN=HongKong,CN=Sites,CN=Configuration,DC=netdimensio ns,dc=com; 3> supportedcapabilities: 1.2.840.113556.1.4.800; 1.2.840.113556.1.4.1670; 1.2.840.113556.1.4.1791; 1> issynchronized: TRUE; 1> isglobalcatalogready: TRUE; 1> domainfunctionality: 0 = ( DS_BEHAVIOR_WIN2000 ); 1> forestfunctionality: 0 = ( DS_BEHAVIOR_WIN2000 ); 1> domaincontrollerfunctionality: 2 = ( DS_BEHAVIOR_WIN2003 ); ----------- res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3 {NtAuthIdentity: User='ekp'; Pwd= <unavailable>; domain = 'DN=CN=ekp,OU=IT,OU=Users,OU=HongKong,DC=hongkong,DC=netdimensions,DC=com'.} Authenticated as dn:'ekp'. This confirms that the parameters for that particular LDAP server 192.168.99.10 will work and you can do same test for each of your LDAP servers. If the query to the LDAP servers fail, check your parameters and check you have enabled your firewall to communicate on the specified ports. LDP.EXE returns same Error<0x51>: Fail to connect message when I query the wrong server or wrong port. ld = ldap_open("192.168.99.99", 389); Error <0x51>: Fail to connect to 192.168.99.99. ld = ldap_open("192.168.99.10", 355); Error <0x51>: Fail to connect to 192.168.99.10. If you get initial LDAP query info but then Error <49>: ldap_bind_s() failed: Invalid Credentials. it means the LDAP Server parameters were successful but the bind to user and/or password failed. res = ldap_simple_bind_s(ld, 'ekp', <unavailable>); // v.3 Authenticated as dn:'ekp'. res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3 {NtAuthIdentity: User='ekp'; Pwd= <unavailable>; domain = 'DN=CN=ekp,OU=IT,OU=Users,OU=HongKong,DC=HongKong,DC=netdimensions,DC=com'.} Error <49>: ldap_bind_s() failed: Invalid Credentials. Server error: 8009030C: LdapErr: DSID-0C09043E, comment: AcceptSecurityContext error, data 0, vece Once you have verified your LDAP connection and parameters with successful authentication using LDAP tools you can proceed to attempt log in on your ekp server. 7

On the ekp site logging in with user ekp and check the ekp.log for any errors. You should have ekp set up in debug mode. Sample EKP.LOG - user ekp logs in after successful authentication with LDAP server Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.connect): Connecting to LDAP server at 192.168.99.10:389 Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.connect): Connected OK Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): Authenticating to LDAP server as: 'CN=ekp,OU=IT,OU=Users,OU=HongKong,DC=HongKong,DC=netdimensions,DC=com'; password: '*********' Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): Authenticated OK Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): about to search Active Directory server for user: 'ekp' Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): base: 'dc=hongkong,dc=netdimensions,dc=com' Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): filter: '(&( (objectclass=user)(objectclass=person))( (cn=ekp)(samaccountname=ekp)))' Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): Search returned normally with 2 results Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): results.hasmoreelement s: true Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticateEntry): LDAP DN(basic): CN=ekp,OU=IT,OU=Users,OU=HongKong,DC=HongKong,DC=netdimensions,DC=com Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.connect): Connecting to LDAP server at 192.168.99.10:389 Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.connect): Connected OK 2009/Aug/12 23:04:42 Severity(DEBUG) Source(com.netdimen.jdbc.core.JdbcTemplate.logSql): executing sql [SELECT * FROM userstats WHERE userid =?] for arguments ('ekp') 2009/Aug/12 23:04:42 Severity(DEBUG) Source(com.netdimen.jdbc.core.JdbcTemplate.logSql): executing sql [SELECT COUNT(*) FROM messages WHERE readindicator = 'N' AND userid =?] for arguments ('ekp') 8

EKP.LOG showing LDAP Authentication Failed Use LDAP tools to verify your parameters. 2009/Aug/12 09:23:16 Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.connect): Connecting to LDAP server at 192.168.99.10:389 2009/Aug/12 09:23:16 Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.connect): Connected OK 2009/Aug/12 09:23:16 Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): Authenticating to LDAP server as: 'CN=ekp,OU=IT,OU=Users,OU=HongKong,DC=HongKong,DC=netdimensions,DC=com'; password: '*********' 2009/Aug/12 09:23:17 Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): Authenticated OK 2009/Aug/12 09:23:17 Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): about to search Active Directory server for user: 'ekp' 2009/Aug/12 09:23:17 Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): base: 'dc=hongkong.netdimensions.com' 2009/Aug/12 09:23:17 Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): filter: '(&( (objectclass=user)(objectclass=person))( (cn=ekp)(samaccountname=ekp)))' 2009/Aug/12 09:23:17 Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): Search returned normally with 1 results 2009/Aug/12 09:23:17 Severity(DEBUG) Source(com.netdimen.ldap.LdapServer.authenticate): results.hasmoreelement s: true 2009/Aug/12 09:23:17 Severity(DEBUG) Source(com.netdimen.auth.login.LDAPLoginAdapter.authenticate): LDAP server 1 authentication failed com.netdimen.auth.login.generalauthenticationexception at com.netdimen.ldap.ldapserver.authenticate(ldapserver.java:255) at com.netdimen.auth.login.ldaploginadapter.authenticate(ldaploginadapter.java:50) 9

Additional Resources See the following resources for further information: Lightweight Directory Access Protocol Version 3 The IETF LDAPv3 Working Group: http://www.ietf.org/html.charters/ldapbis-charter.html The LDAPv3 Working Group archived newsgroup: http://www.openldap.org/lists/ietf-ldapbis/ RFC 3377, the current definition of LDAPv3: ftp://ftp.rfc-editor.org/in-notes/rfc3377.txt Open Group and the Directory Interoperability Forum The Open Group s VSLDAP compliance testing suite overview: http://www.opengroup.org/directory/mats/ldap2000/dsvsldap.pdf The Directory Interoperability Forum (DIF): http://www.opengroup.org/directory/ Miscellaneous The Microsoft Active Directory Web site: http://www.microsoft.com/ad Active Directory Application Mode (ADAM): http://www.microsoft.com/windowsserver2003/adam/default.mspx Directory Services Markup Language (DSML): http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/dsml.asp Microsoft Identity Integration Server 2003, Enterprise Edition: http://www.microsoft.com/windowsserver2003/technologies/directory/miis/default.ms px The Microsoft Windows 2000 inetorgperson Kit: LDAP reference for developers on MSDN: LDAP API reference for developers on MSDN: http://msdn.microsoft.com/library/default.asp?url=/library/enus/dnactdir/html/inetopkit.asp http://msdn.microsoft.com/library/default.asp?url=/library/enus/netdir/ldap/ldap_reference.asp http://msdn.microsoft.com/library/default.asp?url=/library/enus/wceldap/htm/cmconusingldapapi.asp 10

For the latest information about Windows Server 2003, see the Windows Server 2003 Web site at http://www.microsoft.com/windowsserver2003. 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information