Basic LDAP integration - Preliminary tasks

SSL Certificate

If an LDAPS connection is used when connecting to the selected external directory then an SSL certificate is required. First the SSL certificate needs to be created for example by using the Microsoft Certificate Authority. Then it needs to be transferred to the Ubisecure server and added to the trusted certificates in the Java Runtime Environment. Note that Ubisecure SSO Server includes its own Java implementation and that is where the certificate needs to be added.

In Windows the Java certificate storage that Ubisecure SSO Server uses is by default in the following file:

  • C:\Program Files\Ubisecure\ubilogin-sso\java\lib\security\cacerts

The certificate can be added to the Java certificate store using the keytool command. Here are example commands for Windows and Linux installations: 

Listing 1. Windows:
cd /d "C:\Program Files\Ubisecure\ubilogin-sso\"
setenv.cmd
cd %JRE_HOME%\lib\security
cd /d %JAVA_HOME%\jre\lib\security
keytool -importcert -keystore cacerts -trustcacerts -alias mytrustedca -file <insert filename here> -storepass changeit
Listing 2. Linux:
cd /usr/local/ubisecure/ubilogin-sso/
. setenv.sh
cd $JAVAJRE_HOME/jre/lib/security
keytool -importcert -keystore cacerts -trustcacerts -alias mytrustedca -file <insert filename here> -storepass changeit

If a plain LDAP connection is used when connecting to the selected external directory an SSL certificate is not required and this step can be skipped.

Setting up a user account in Active Directory or LDAP

In-depth Active Directory administration is not within the scope of this document. Please refer to the Microsoft Knowledge Base for specific information.
In this example, the following operations have been performed:

  • The user Ubilogin was created within the standard Users container of Active Directory.
  • The user was made a member of the group Domain Guests, which is a built-in group of Active Directory.
  • All other memberships were removed from the user.

A similar procedure is required when LDAP is used as the external directory.