Configuring the Identity Manager driver for Active Directory with SSL
Novell Cool Solutions: Feature
By Michel Bluteau
Digg This -
Posted: 15 Dec 2005
This article describes the steps required in order to install the remote loader and the AD driver on a Member Server instead of on the Domain Controller. SSL is required for some operations like Password Sync, so a Certificate must be installed on the DC to allow for LDAP over SSL (LDAPS).
This article is intended for Novell Identity Manager 2.01 on any platform, and Windows/AD 2003.First, you need a CA (Certificate Authority) that can provide a Certificate for the domain controller (DC). Several options are available, and you can install Microsoft Certificate Service on the DC or on another Windows 2003 server. The easiest way is to install it on the DC, which needs LDAPS. If you decide to install it on a separate server, or use another CA like Novell eDirectory, Entrust or Verisign, you can look at the following documentation on Creating, Exporting, and Importing Certificates:
http://www.novell.com/documentation/dirxmldrivers/index.html?page=/documentation/dirxmldrivers/ad/data/bp8clek.html Also recommended is the Microsoft Knowledge Base Article 321051, How to Enable LDAP over SSL with a Third-Party Certificate Authority.
You can also use the web console for Microsoft Certificate Services in order to generate a certificate. See http://ca_address/certsrv, where <ca_address> is the IP address of your certificate server used to access the Certificate Management Console.
1. Use MMC and add the certificate snap-in for the local computer to check if the certificate is installed properly after the DC has been restarted.
Figure 1: Certificate snap-in for MMC, showing the certificates on the DC
2. Use ldp.exe, part of the Windows 2003 tools (under Support on the CD), to check if LDAPS is operational.
Figure 2: ldp.exe from the Support Tools - Microsoft's LDAP browser
3. Set the Connect parameters as shown below.
Figure 3: Setting the Connect parameters
4. You should be able to connect anonymously if you are on the DC.
Figure 4: Connecting anonymously from the DC
5. On another machine like the Member Server, a bind may be required.
Figure 5: Bind parameters
6. After a bind, you should be able to select View/Tree and browse the tree.Figure 6: View/Tree
7. From the Member Server, access the Web Console for Certificate Services.
8. Select Download a CA certificate, certificate chain, or CRL.
Figure 7: Selecting the download
9. Select Base 64 and then Download CA certificate chain.
Figure 8: Downloading the CA certificate chain
10. Save the file on disk.
Figure 9: Saving the file
11. Double-click the certificates file.
Figure 10: Selecting the certificates file
The file should contain 2 certificates, one for the CA, and one for the DC. It may contain more certificates.
12. Double-click the certificate for the CA first, then for the DC.
Figure 11: Selecting the CA and DC certificates
13. Click Install Certificate.
Figure 12: Installing the certificate
This CA should be OK/trusted. The Member Server needs access to the internet for validation, otherwise you will see errors in the Event Viewer under Application.
Figure 13: Trusted/OK certificate
14. Install the certificate for the DC.Figure 14: Installing the certificate for the DC
This certificate should be OK as well.Figure 15: Trusted/OK certificate
15. Open MMC to be able to add the certificate snap-ins.
Figure 16: MMC
16. Add the snap-ins as shown below.
Figure 17: Adding the snap-ins
You should be able to find the CA certificate under Current User.
Figure 18: CA certificate under Current User
You should also be able to see the certificates for the Servers or DC as well.
Figure 19: Certificates for the Servers or DC
17. Copy and Paste the certificates under Service (DirXML Loader).
Figure 20: Certificates under Service (DirXML Loader)
Figure 21: Certificates under Service (DirXML Loader) - continued
18. Set the parameters for the AD Driver similar to these:
Figure 22: Authentication parameter settings for the AD Driver
Figure 23: Driver setting parameters for the AD Driver
19. On the Member Server, add an item that corresponds to the authentication context for resolving the DC.
Figure 24: Item for authentication context for resolving the DC
You should be able to ping to this address.
Figure 25: Pinging to the authentication address
20. Bring the driver up, and chances are you will get an error message (DSTrace) 81 LDAP_SERVER_DOWN, because of the SSL session. You can see the details in Event Viewer on the Member Server.
Figure 26: LDAP_SERVER_DOWN details in Event Viewer on the Member Server
The SSL session is refused because there is a mismatch between the subject name in the certificate (win2003.AD2003.NOVL.CA) and the Authentication Context value(win2003) in this example. If there is a difference, you must change the Authentication Context value and update the hosts file for the Member Server if required.
Figure 27: SSL session refused
Once you gone through these steps, you should be able to successfully run your driver. Keep an eye on Event Viewer if you are experiencing issues like error 81 LDAP_SERVER_DOWN.
The procedure may be different if the configuration is not the same, but these steps should be helpful in order to figure out where to look and what to fix for specific issues.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com