LDAP How to Guide
From Swivel Knowledgebase Wiki
Contents |
Overview
This document covers the use of LDAP with PINsafe. PINsafe uses LDAP to read information from Active Directory and LDAP servers.
PINsafe has a specific class for Active Directory imports, for further information see AD data source configuration
Prerequisites
PINsafe 3.x
Creating the LDAP Repository
Add the LDAP Repository Servers
On the PINsafe Server:
Select Repository/General and create an LDAP Repository, the name is descriptive and must be unique and up to 32 characters in length, and when created it should appear on the left hand side below Repository. Create additional PINsafe servers for each LDAP server.
Click Apply to save settings
Default LDAP ports
LDAP ports
389 LDAP
636 LDAP SSL
Active Directory Global Catalog can be used on the following ports:
3268 Global Catalog
3269 Global Catalog SSL
Using a self signed certificates for LDAPS
The PINsafe server or appliance can be configured to accept self signed certs by selecting the Accept self-signed certificates, located under the Repository/Name of LDAP server entry
Installing trusted CA certificates for LDAPS
Certificates for LDAPS can be added to the PINsafe appliance or server using the keytool command to import the cert as a trusted CA cert.
Appliance:
/usr/java/jre1.6.0_18/lib/security/cacerts
Testing
Known Issues
User Sync Issues
PINsafe 3.8 release 2 onwards, any error retrieving user details will skip over that user, but mark it as deleted (or actually delete the user, if mark as deleted is disabled).
PINsafe 3.5 to 3.8 first release, if an error occurs trying to read a specific user’s details, it will only skip that particular user if the error is “Not found”. Any other LDAP error will cause it to abort.
Group Sync Issues
PINsafe 3.5 and later, Errors attempting to access LDAP or to read the group details will cause the user sync to abort. In earlier versions of PINsafe, such errors could cause all users to be deleted.
User Import Issues
PINsafe version 3.8 (release 1) and earlier, usernames must be EXACTLY the same on both servers, including case. If the username is changed on the source, it may invalidate user credentials. Do not change the username case on the LDAP server (such as changing the uid attribute to or from upper case and lower case, as it will try to import the user as a new user, but fails as the user already exists.
There are two ways to fix this: either change the LDAP repository to have upper case (or lower case) usernames, or modify the PINsafe database to change usernames to lower case. The SQL statement to do this is as follows: UPDATE PINSAFEJ SET H = LOWER(H);
Moving LDAP servers Issues
The usernames must be exactly the same on each server. With PINsafe 3.8 release 1 and earlier the base DN on the two servers must be the same. The PINsafe user sync can handle situations where a user has been moved within the same LDAP directory (basically, the repository returns a "not found" error). However, if the base DN is different, an "authentication failed" error is produced which causes PINsafe to abort the user sync.
If the base DN is the same and usernames are the same, moving to a different repository with the same users is possible. Delete the current data source repository definition, making sure that "Delete users with repository" is set to "No", and then create a new repository with EXACTLY the same name (including case and spacing).
