Skip to main content
Version: 11.0

LDAP Configuration

Overview 

Through its support for the Lightweight Directory Access Protocol (LDAP), Resolve Insights gives the option of integrating your Resolve Insights with Microsoft Active Directory, which can serve as the master repository for storing information about Resolve Insights users. The Resolve Insights LDAP integration consists of two main components: 

  • Authentication: Users will be authenticated against their Microsoft Active Directory credentials and logged in to Resolve Insights automatically without having to supply a user ID or password. This method of automatic login offers two advantages compared to the non-LDAP login method: 
  • It provides increased security, as the user's Resolve Insights user status will be in sync with their Active Directory status. 
  • It does not require that users’ Active Directory usernames match their Resolve Insights User IDs. 

To integrate with LDAP and LDAPS client should provide the following information and details in advance: 

  • Load Balancer / high Availability: The client should clarify if the Active Directory is configured on the load balancer or high availability. The integration senior will change based on the client's clarification.
  • LDAP certificate: The client should provide a secure LDAP certificate in .cer, .pem, .p7b format. This certificate needs to be imported into the Insights NCE master server's certificate repository.
  • Domain Name: Client's domain name (for example MyDomain.com, clientdomain.net)
  • Hostname: IP address or hostname of the Domain controller server.
  • Port: The client should provide the ports used for non-secured, secured LDAP if the client is using a customised port than the default ports. Default ports are mention below.
  • The default port for LDAP is 389 and the default secure LDAP port is 636. 
  • Distinguished Name (DN): the client should provide a distinguished name or DN to integrate with LDAP or LDAPS. Usually, the Active Directory administrator knows DN else he can help to get DN by accessing the active directory server. The client can refer to the below link which guides on how to get the DN from the Active Directory server.

https://support.xink.io/support/solutions/articles/1000246165-how-to-find-thedistinguishedname-of-an-ou-

Let's take an example of user "John Smith" who is from the Sales department. His Organization Unit is Sales. Organization unit sales is under the http://mydomain.com domain. In this case, DN will be as follows:

OU=Sales, DC=mydomain, DC=COM

If the User is without an organization unit then DN will be as follows:

DC=mydomain, DC=COM

 
UserDn: The client needs to provide a service account to connect and crawl LDAP/LDAPS accounts. The account should be with single authentication (2FA account is not compatible with Insights) DN for service account will be as follows:

CN=John.Smith, OU=Sales, DC=mydomain, DC=COM

Password: the client should provide a password for given UserDn.

How to Import Secure LDAP Certificate in Insights NCE Server

Two scenarios need to be considered. 

  1. NCE master, Workers without a load balancer.
  2. NCE master, Workers with a load balancer.

If NCE servers are without load balancer then import certificate only on NCE master.

If NCE servers are behind load balancer then import the certificate on NCE master and NCE workers.

In case the client is using secure LDAP below steps to be carried out to import the certificate on the Insights NCE server.

note

Collect the LDAP certificate from a client in .cer, .pem, .p7b format and copy it in /opt/FS/ folder on the Insights NCE master server.

  1. Log in with SSH in Insights NCE master server.

  2. Use the following command to import the certificate in the Java certificate store. Syntax:

    <Keytool Path>/keytool -keystore <certificate store path>/<certificate store name> -import -alias certificate -file <certificate file path>/<certificate filename>

     
    Command:

    /usr/lib/jvm/java/bin/keytool -keystore /usr/lib/jvm/java/lib/security/cacerts -import -alias  certificate -file /opt/FS/trainging.cer

    Keystore will ask for a password. (The default password for keystore is "changeit").

    Keytool will display details of the certificate and will prompt for confirmation to import the certificate. Choose "y" to import the certificate.

  3. To verify whether the certificate is imported properly, we can use the following command.

    Syntax:

    <keytool path>/keytool -list -keystore <keystrore path>/<certificate store> -storepass changeit | grep -i <search string>

    Command:

    /usr/lib/jvm/java/bin/keytool -list -v -keystore /usr/lib/jvm/java/lib/security/cacerts -storepass changeit | grep -i mydomain

    The above command will list the domain for which we imported the certificate.

    In some cases, there is a need to find the java home and java versions. We can use the following commands to find the java home and java versions.

    To find installed Java instances:

    alternatives --config java

    To find Java version:

    java –version

    To Set JAVA_HOME and other variables:

    Command:

    export JAVA_HOME=/usr/lib/jvm/<openjdk_path>/

    Example:

    export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/
    export JRE_HOME=/usr/lib/jvm/<openjdk_path>/jre/

    Example:

    export JRE_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b080.el7_7.x86_64/jre/
    export PATH=$PATH://usr/lib/jvm/<openjdk_path>/bin:/usr/lib/jvm/<openjdk_path>/jre/bin/

    Example: 

    export PATH=$PATH://usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/bin:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.242.b08-0.el7_7.x86_64/jre/bin/

Configuring LDAP/Secure LDAP on Insights

You can create multiple records that store the connection settings of different LDAP services. Both LDAP and secure LDAP (LDAPS) are supported.

You can have multiple active records at the same time as long as they point to different LDAP servers. Every attempt to create a new record for the same domain will overwrite the existing record.

You can have as many inactive records as you like. If you don't want Insights to connect to a particular LDAP service, ensure that its record is inactive.

  1. Navigate to Settings > LDAP Configuration.
    The LDAP Configuration page is displayed.
  2. Fill in the form as follows:
    • In Domain name, enter the LDAP server's domain name.
    • In Hostname, enter the IP address or hostname of the Domain Controller.
    • In Port, enter the port number used for non-secured or secured LDAP.
      The default secure LDAP port is 636. The default LDAP port is 389.
    • In Distinguished Name, enter the Distinguished Name (DN) of an OU on the LDAP server.
    • (Optional) In UserDn, enter a service account to use to connect to the LDAP server and crawl LDAP accounts.
    • (Optional) In Password, enter the password for the UserDn.
  3. Check Secure LDAP if the integration is with an LDAPS service.
  4. Uncheck Active if you want to keep the LDAP configuration stored but inactive.
    Inactive means that Insights will not attempt to connect to the configured LDAP service.
  5. Click Submit to set and save the settings.
    Insights only saves the settings if it can connect to the LDAP service successfully.
note
  • To modify an LDAP configuration, click the edit icon of row of the configuration that you wish to modify and update the fields in the form
  • To delete an LDAP configuration, click the trash bin icon of row of the configuration that you wish to delete. To delete multiple LDAP configurations, check the boxes in the rows of the configurations you wish to delete and click Delete Record.

Troubleshooting

  1. Invalid LDAP configuration after clicking on "Submit" button.

    1. Error statement: "Invalid LDAP configuration. Please try again with valid configuration details. <domain name>"

    2. Troubleshooting steps:

      1. Credential Check: Contact client domain administrator and reconfirm the access.

      2. Check if the service account provided does not have 2FA (2 Factor authentication).

      3. Check ports for LDAP (TCP 389) and secure LDAP (TCP 636) are open between NCE server and LDAP server.

        • LDAP server (non-secure): Try to telnet from NCE server to LDAP server on port 389 as shown below:

          Command Syntax:

          telnet <LDAP server hostname / IP address> <port>

          Command:

          telnet training-dc 389

        • LDAP server (secure): Try to telnet from NCE server to LDAP server on port 636 as shown below:

          Command Syntax:

          telnet <LDAP server hostname / IP address> <port>

          Command: 

          telnet training-dc 636

      4. Restart REST service on NCE master server if ports are already open between NCE and LDAP server.

        Syntax:

        service <service name> <option>

        Command:

        service meridian-rest-service stop
        service meridian-rest-service start