LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying attributes in directory service providers like Active Directory, which supports LDAP.
Active Directory is a database-based system that provides authentication, directory, policy, and other services in a Windows environment.
This section explains about the Access and Layout information pertaining to the directory server, which is required to authenticate and authorize users using LDAP Directory Server.
Setting up
The basic set up is done in the eStudio application. To set up LDAP security, perform the following actions:
- Open the profile for off-line editing through the Profile Manager using eStudio by clicking on the Profile Manager pane.
Modify the Implementation property of ACL Manager and Principal Manager and to LDAP.
- Configure the Principal Manager as per the desired Directory Server. Sample configuration for Netscape Directory Server is as shown in the figure below in section LDAP Provider DN.
- LDAP-based ACL manager depends on Timer Service. Specify the Instance of TimerService.
Figure 1: Instance property under TimeService for LDAPSecurity Realm
5. Right-click on the FES/FPS node and select Save from the pop-up menu.
Sample Configuration – ApacheDS1.5.4
Apache Directory Studio is a complete directory tooling platform intended to be used with any LDAP server however it is particularly designed for use with ApacheDS. Hence, the steps mentioned here require the installation of Apache Directory Studio.
Setting up the Directory Service
Setting up Apacheds1.5.4 involves two steps—Starting ApacheDS server and Creating the LDAPConnection.
Starting Apacheds1.5.4 Server
The server can be started in two ways
- From Apacheds1.5.4
- From Apache Directory Studio
From Apacheds1.5.4
This method needs Apacheds1.5.4 to be installed and configured. Once you have this ready, perform the following actions:
- Stop any running instance of apacheds.
Take backup of server.xml
Modify server.xml as follows, add the following line within the tag </partitions> ... </partitions>
Run apacheds using the following command:
From Apache Directory Studio
- Login through Apache Directory Studio.
- User ID: uid=admin,ou=system (Default)
- Password: secret (Default)
- For creating a new Server Instance, navigate to File > New > LDAPServer
- Under Servers browser window double click on the server created above to see a window with the tile server.xml
- Configure default LDAP port as 10389 under General category in server.xml
- Navigate to Partitions category in the server.xml file using 'Add'.
- Set following partition parameters
- ID: fiorano
- Cache Size: 100
- Suffix: o=fiorano,c=US
- Select the options: Enable Optimizer, Synchronization on write
- Save (File > Save) the server configuration.
Creating LDAP Connection
An LDAP Connection is required to bind to an LDAP server and perform the tasks. This section explains how to create a connection to your LDAP directory using Apache Directory Studio.
To create a connection to your LDAP Directory, perform the following actions:
- Login through Apache Directory Studio.
- User ID: uid=admin,ou=system (Default)
- Password: secret (Default)
Import the following LDIF content using Apache Directory Studio. (LDAP > New LDIF File)
- Save the file in any local directory.
- Create a new LDAP connection by navigating to File > New > LDAPConnection
- Enter the details of running server.
- Right-click on the created connection and navigate through Import > LDIF Import.
- Browse and select the LDIF file created in the Step 2.
Once the file in imported, the added entries can be found in LDAP Browser window > DIT > Root DSE > o=fiorano,c=US
Re-login through Apache Directory Studio to see the added children.
Setting up the profile to use with ApacheDS1.5.4
Now set up a profile to use with ApacheDS1.5.4 by performing the following actions:
- Open the profile for off-line editing through the Profile Manager using Studio by clicking on the Profile Manager pane
- Make sure that all the properties except the LdapProviderUrl are reset to their original value.
- In the LDAP Provider URL, the port number has to be 10389 and the IP address has to be that of the server that is running ApacheDS.
Sample Configuration – Active Directory LDAP
As a directory service; an Active Directory instance consists of a database and corresponding executable code responsible for servicing requests and maintaining the database. Active Directory makes use of LDAP version 2 and 3. This section illustrates the Active Directory LDAP configuration.
Setting up the Directory Service
Setting up ActiveDirectory involves two steps starting ADLDS (Active Directory Light weight Directory Service) instance and creating the LDAPConnection.
Starting ADLDS Instance
Install Windows update for running ADLDS instance and follow the below steps for configuring the ADLDS startup:
- Create an ADLDS instance by navigating through Run > Active Directory Light Weight Directory Service Setup wizard. Specify the instance name for ADLDS
- Configure the LDAP and SSL port numbers and create a new Partition “O=Fiorano,C=US”
- Use Network Service Account for starting the instance.
- Import the LDIF files Ms-InetOrgPerson.LDF and Ms-User.LDF, which are necessary. Other ldf files can also be included if needed.
Once created, you can see the instance with the specified name running in services.msc (CTRL+R)
Creating LDAPConnection
To create LDAP connection, perform the following actions:
- Open ADSI Edit Studio.
- Right-click ADSI Edit and select connect to
- Enter name of the ADLDS instance under Name
- Provide the partition name “O=Fiorano,C=US” for Distinguished Name which is under ConnectionPoint.
- Computer credentials will be localhost:389, if instance is running in localmachine with Tcp port 389.
- Finally provide 'Ok' to connect to the ADLDS Instance.
Creating Admin Credentials to Access LDAP server
After creating the connection, create admin credentials to access LDAP server by performing the following actions:
- In ADSI Edit, navigate to ADSI Edit > ADLDS instance > “O=Fiorano,C=US”, some default Objects will be already created.
- Add FMQRoot object as user type, under “O=Fiorano,C=US”.
- Right-click on FMQRoot and reset the password as secret
- Under CN=Roles,O=Fiorano,C=US, Right-click on CN= Administrators > Properties add the FMQRoot user under member of CN=Administrators.
- For using LDAP in Fiorano, Active Directory should be preloaded with java schema (Refer: http://docs.oracle.com/javase/tutorial/jndi/software/content.html#SCHEMA )
- Enable Schema Permissions for FMQRoot
- Open Active Directory Schema
- Right-click on Active Directory Schema > Change Active Directory Domain Controller and specify <LDAP Server Ip>:<LDAP Port>
- Right-click on Active Directory Schema > Permissions
- Give all permissions for Authenticated user
Get the java file from the link http://docs.oracle.com/javase/tutorial/jndi/software/config/CreateJavaSchema.java.
Compile and run the java file with the following command which will add the required java schema to Active Directory instance:- Add following objects as container type, under O=Fiorano,C=US
FMQServerConfigFiles, FioranoMQUsers, FioranoMQGroups, ACL - Now specify the user credentials to access the LDAP server, which can be configured from Fiorano Studio(Figure 4.1).
Sample Configuration – Netscape Directory Server
This directory server is yet another robust, scalable server designed to manage an enterprise-wide directory of users and resources. This section illustrates the Netscape LDAP configuration.
Setting the Name
This name has to be the admin of the LDAP server, as you have to start the Initial Context with the Admin.
PRINCIPAL = uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
Setting the password
Enter the password of the Admin of the LDAP Server to whom you want to connect as shown in the Figure below
Figure 2: iPlanet Console Login Dialog Box
LDAP Initial Context Factory
The Initial Context Factory to be used, corresponding to the directory server.
LdapInitialCtxFactory = com.sun.jndi.ldap.LdapCtxFactory
LDAP Provider URL
This can be set according to the directory server being used.
LdapProviderUrl = ldap://ldapserver:389
LDAP Provider DN
This variable needs to be set to the suffix variable that you have set up while installing the LDAP Server as shown in the figure:
LdapProviderDn = dc=modena, dc=stpn, dc=soft, dc=net
Figure 3: Directory Server Settings
LDAP security authentication
Set this variable to:
LdapSecurityAuthentication = Simple LDAP User and Group Object classes