Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.2

This chapter gives further guidance on how to configure Active Directory integration to Ubisecure CustomerID.

Preliminary Tasks

Ubilogin Organization

You should first create a root organization in AD for Ubisecure CustomerID data. Traditionally the root organization has been called Ubilogin.

SSL Certificate

The usage of SSL is required when making the LDAP connection from Ubisecure SSO to Active Directory. First the SSL certificate needs to be created for example by using the Microsoft Certificate Authority. Then it needs to be added to both the Ubisecure SSO and Ubisecure CustomerID servers by adding it to the trusted certificates in the Java Runtime Environments.
In Windows the Java certificate storage is by default in the following file:

...

The Active Directory certificate can be added to the Java certificate store using the keytool command. Here are example commands for Windows and Linux installations:

Code Block
languagetext
themeRDark
titleListing 1. Windows
cd %JRE_HOME%\lib\security
set keytool="%JRE_HOME%\bin\keytool"
%keytool% -importcert -keystore cacerts -trustcacerts -alias mytrustedca -file <insert filename here> -storepass changeit
Code Block
languagetext
themeRDark
titleListing 2. Linux
cd $JRE_HOME/lib/security
keytool -importcert -keystore cacerts -trustcacerts -alias mytrustedca -file <insert filename here> -storepass changeit

AD Integration User

A dedicated user should be created in Active Directory that can administer everything under the created Ubilogin organization.

CustomerID Directory

The directory service named CustomerID Directory is used to define the configuration used when establishing connections to Active Directory. Prior to Ubisecure CustomerID version 3.7.0 there was a separate file named ad_jndi.properties in the custom directory for the same purpose but that file is no longer read and should be removed. The directory service is still configured quite similarly as a JNDI properties file is written.

Code Block
languagetextthemeRDark
titleListing 3. Example AD Specific Configuration Strings
java.naming.provider.url = ldaps://ad.example.com/ou=Ubilogin,dc=ad,dc=example,dc=com 
java.naming.security.authentication = simple
java.naming.security.principal = cn=UbiUser,cn=Users,dc=ad,dc=example,dc=com 
java.naming.security.credentials = secret 
java.naming.security.protocol = ssl
java.naming.ldap.attributes.binary = objectGUID
policy.password.protocol = ActiveDirectoryDs
com.ubisecure.util.ldap.server.list = ldaps://server1/ ldaps://server2/ 
com.ubisecure.util.ldap.failover.type = single-master

...

Ubisecure supports also other options related to LDAP client-side failover with replicated directories. Please refer to pages Installation - SSO Installation and Upgrade - SSO Upgrade for further instructions about enabling client-side failover.

eidm2.properties

There are some properties in the eidm2.properties file that are either crucial or extremely relevant for Active Directory integration. They are: 

Code Block
languagetextthemeRDark
main.ldap.directory = ad
login.generation = random
login.attribute = sAMAccountName 
group.samaccountname.generation = random

...