Basic LDAP integration - Preliminary tasks
SSL Certificate
If an LDAPS connection is used when connecting to the selected external directory then an SSL certificate is required. First the SSL certificate needs to be created for example by using the Microsoft Certificate Authority. Then it needs to be transferred to the Ubisecure server and added to the trusted certificates in the Java Runtime Environment. Note that Ubisecure SSO Server includes its own Java implementation and that is where the certificate needs to be added.
In Windows the Java certificate storage that Ubisecure SSO Server uses is by default in the following file:
C:\Program Files\Ubisecure\ubilogin-sso\java\lib\security\cacerts
The certificate can be added to the Java certificate store using the keytool command. Here are example commands for Windows and Linux installations:Â
cd /d "C:\Program Files\Ubisecure\ubilogin-sso\" setenv.cmd cd %JRE_HOME%\lib\security cd /d %JAVA_HOME%\jre\lib\security keytool -importcert -keystore cacerts -trustcacerts -alias mytrustedca -file <insert filename here> -storepass changeit
cd /usr/local/ubisecure/ubilogin-sso/ . setenv.sh cd $JAVAJRE_HOME/jre/lib/security keytool -importcert -keystore cacerts -trustcacerts -alias mytrustedca -file <insert filename here> -storepass changeit
If a plain LDAP connection is used when connecting to the selected external directory an SSL certificate is not required and this step can be skipped.
Setting up a user account in Active Directory or LDAP
In-depth Active Directory administration is not within the scope of this document. Please refer to the Microsoft Knowledge Base for specific information.
In this example, the following operations have been performed:
- The user Ubilogin was created within the standard Users container of Active Directory.
- The user was made a member of the group Domain Guests, which is a built-in group of Active Directory.
- All other memberships were removed from the user.
A similar procedure is required when LDAP is used as the external directory.