LDAP
Setting up LDAP in Exivity
Make sure you have Administrator rights when performing the following steps.
First, go to Administration > Settings > Single sign-on and choose the LDAP tab:
-5669e38411edd8e87000b9fc14659120.png)
Fill in the required Server and Attributes section parameters, and click on UPDATE.
Server section:
| Parameter | Explanation |
|---|---|
| Domain controllers | The domain controllers option is an array of servers located on your network that serve Active Directory. You can insert as many servers or as little as you'd like depending on your forest (with the minimum of one of course). Separate multiple servers with a single space. |
| Port | Depending on your chosen encryption use 389 (unencrypted or TLS) or 636 (SSL) |
| Timeout | The timeout option allows you to configure the amount of time in seconds that your application waits until a response is received from your LDAP server. |
| Encryption | Choose your desired encryption, SSL and TLS are supported. If you choose encryption make sure you read the section Setting up your security certificate. |
Attributes section:
| Parameter | Explanation |
|---|---|
| Base DN | The base distinguished name is the base distinguished name you'd like to perform query operations on. (optional) |
| Account prefix | The account prefix option is the prefix of your user accounts in LDAP directory. This string is prepended to all authenticating users usernames. (optional) |
| Account suffix | The account suffix option is the suffix of your user accounts in your LDAP directory. This string is appended to all authenticating users usernames. (optional) |
| Default user group | When a new user logs in using LDAP, a user will be created in this user group. (recommended) |
Finally, go to the System tab, in the Core section, set the Single Sign-On parameter to Local and LDAP Authentication and click on UPDATE.
-b93571b06dbf36f76d449cbc14cb78c4.png)
Now Exivity is configured to login users using LDAP authentication.
Setting up your security certificate
This section only needs to be performed if you have chosen encryption SSL or TLS to authenticate with LDAP. These steps are done in the Exivity server side.
If you don't have a certificate in .pem format you can convert your current certificate with the OpenSSL tool.
Once you have your pem certificate stored in the server hard drive, take a note of its path, and create a system environmental variable LDAPTLS_CACERT . The value of this environment variable will be the certificate full path.
-2cb82b6dc279b123be02e0627d281d7e.png)
Finally, restart the Exivity Web Service.
-a8e978060a09c020fbe7817c1395034a.png)
Troubleshooting Active Direcoty LDAP SSL connection issues
When integrating LDAP with Active Directory, it's common to encounter certificate issues due to Active Directory's unique implementation. According to the x509 specification, a certificate's Subject Name (DN or Distinguished Name) can be empty if there is an accompanying subjectAltName marked as critical. However, the verification process demands that the certificate chain concludes with a trusted certificate that has a non-empty subject, typically a root certificate.
Active Directory often uses certificates with empty subjects, which are handled seamlessly by Windows through a proprietary resolution mechanism that searches up the certificate chain for a trusted root certificate. This mechanism, however, is not supported by open-source LDAP APIs, which rely on standard verification processes.
To ensure compatibility with standard clients, it is essential that Active Directory provides a complete certificate chain, including all intermediate certificates up to a root certificate with a non-empty subject. These certificates should be combined into a single file. The environment variable LDAPTLS_CACERT should then be set to point to this file.
For verification purposes, you can use the OpenSSL command-line tool to confirm the validity of the certificate setup. Execute the following command:
openssl s_client -connect my.activedirectory.local:636 -CAfile cert.pem
This command tests the connection to your Active Directory server over port 636 using the specified CA certificate file. If there are issues with the certificate chain, OpenSSL will return an error such as "Verify return code: 21 (unable to verify the first certificate)," indicating that the certificate chain is invalid or incomplete.
By ensuring the certificate chain is complete and properly configured, you should be able to resolve connectivity issues with LDAP clients interfacing with Active Directory.