Tools - LDAP Integration

.

About

SafeQ 5 has LDAP replicator tool integrated in the SafeQ web interface.

The following steps will guide you through the default Active directory integration setup. For advanced and expert options please refer to LDAP Integration - Advanced and Expert settings.

1

Open the LDAP integration wizard through the Welcome to YSoft SafeQ Widget at the main screen.

images/s/-3eliqb/8502/404359a7d2ab19c9c7c58d12013124a386b28257/_/images/icons/emoticons/lightbulb_on.svg NOTE: The settings for LDAP replication can be also found on the web interface: Users -> Actions... -> Connect to LDAP

images/download/attachments/21955608/oprava1.jpg

2

Open the Connection section.

On the Connection tab, you can setup the integration setting with LDAP.

Available settings are:

  • LDAP server type (AD, NDS, OpenLDAP)

  • Load users on demand - This type of replication mode is sometimes referred as semi-online. When enabled, users are created only during job reception or when logging into the terminal. 

    • Full and differential replication updates only users already registered within YSoft SafeQ. 

    • Replication of Roles and Cost centers is unaffected. 

    • images/s/-3eliqb/8502/404359a7d2ab19c9c7c58d12013124a386b28257/_/images/icons/emoticons/lightbulb_on.svg  Note: User's card when is removed from LDAP is not synchronized to the database with configuration option removeCardsInDiffLdapReplication .

    Having semi-online mode enabled (ldap-replicator-online-mode = true) can result in issuing multiple identical LDAP requests to remote AD server. This can clash with configured user-locking policy.
    Possible workaround would be:
    a) do not use semi-online mode, when there is strict user-locking policy on AD,
    b) increment number of attempts after which user gets locked to at least 5.

    • URL of LDAP server

    • LDAP bind method - method used for authentication and data security on the LDAP level

      images/s/en_US/7901/58be3fa11e9ad58113c0ea45e7063389a7c7d344/_/images/icons/emoticons/warning.svg The correct setting of LDAP bind method needs to be selected so that YSoft SafeQ can authenticate to the LDAP server configured, supported options are:

      • Simple bind – This is universal password-based authentication method simply passing the username and password in plain. From a security perspective, this is acceptable if an LDAPS connection is used since the entire communication is protected on the TLS level. LDAP servers might refuse to accept an unsecured LDAP connection using simple bind (e.g. based on registry settings of an Active Directory server). Select this method if an anonymous connection is to be used.

      • LDAPv3 SASL DIGEST-MD5 – An advanced authentication mechanism added in LDAP version 3 is used which does not expose plain-text passwords. In addition, if an unsecured LDAP connection is used, the data transferred will be integrity-protected and also encrypted if the LDAP server supports it. However, using LDAPS is still recommended for better security. This method can also be used together with LDAPS, when only the initial authentication might be affected (LDAP servers might refuse to accept connections with a doubled data protection mechanism). Note there are limitations when using this method, e.g. the IP address in the URL of LDAP server setting is not supported.

      Please see Client authentication below for more information and the full list of limitations.

    • Searched LDAP subtree

    • Service account

      images/s/-3eliqb/8502/404359a7d2ab19c9c7c58d12013124a386b28257/_/images/icons/emoticons/lightbulb_on.svg There is a possibility to use either an anonymous account or authorized account to log into the LDAP server to search for users. The selected account has to have at least read access to reach the users and their attributes.
      images/s/en_US/7901/58be3fa11e9ad58113c0ea45e7063389a7c7d344/_/images/icons/emoticons/warning.svg Please ask your domain administrator for LDAP credentials. Specific username (principal) format might be required based on LDAP bind method selected. For LDAPv3 SASL DIGEST-MD5 setting, use only the username string with no prefix or suffix. Simple bind setting supports more formats, e.g. user@domain or distinguished name.

    images/download/attachments/21955608/connect_basic.png

    3

    Open the Scheduling section.

    The Scheduling tab gives you the possibility to schedule the run of replication. All settings are revealed after you check the Enable regular synchronizations checkbox. The options are:

    • Start full replication - Here you can select the days and times for full replication, by clicking checkboxes.

    • Start differential replication - Here you can specify the hours or time interval from the last replication to start differential replication. This type of replication will be started every day.

    images/s/-3eliqb/8502/404359a7d2ab19c9c7c58d12013124a386b28257/_/images/icons/emoticons/lightbulb_on.svg NOTE: You have to restart YSoft SafeQ CML services to apply these changes.

    images/download/attachments/21955608/ldap_schedule1.png

     

    images/download/attachments/21955608/ldap_schedule2.png

    4

    Run the synchronization using the "Sync now" button.
     

    5

    Check the result.

    The Status tab contains only information about the last synchronization with the LDAP server (date, duration and result) and the count of added/updated/deleted users, cost centers and roles.

    In case of an error, this error will be displayed here.

    images/download/attachments/21955608/ldap_status.png

    Basic mode

    In Basic mode there are additional tabs:

    Test settings tab

    The Test Settings tab enables you to test the connection to the LDAP server. Please note that the settings have to be saved before the test can start. If the settings are correct, the test will return first 5 users, cost centers and roles matching entered settings and filters.

    There is a summary table in the top if more than one LDAP connection (domain) is set. You can see if domain settings are correct (all icons are green) or something is setup wrongly (red icons). If test returned less then 5 results, icon is orange. This does not necessary means that setting is wrong (there could be only three object of that type in the LDAP) but warning is raised so administrator can check if for example filter settings is correct.

    You can list returned items for each domain by clicking on domain name in the summary table.

    Summary table is not displayed if only one domain is set.

    images/download/attachments/21955608/ldap_test2.png

     

    Log tab

    On the last tab called Log, you can see information that were logged by the running LDAP replicator. This is a good place for troubleshooting if there is any issue with the replication process.

    images/download/attachments/21955608/06-log.png

    Client authentication

    YSoft SafeQ authenticates to the LDAP server with username and password (unless anonymous access is configured). One of the two bind methods can be selected in System > LDAP Integration > Settings (in Basic mode) – Simple bind or LDAPv3 SASL DIGEST-MD5. Simple bind is configured by default; however, it is not recommended to be used without LDAPS as all data (including service account credentials) would be transferred without any confidentiality or integrity protection. Moreover, Microsoft advises to enforce LDAP signing on Active Directory servers which prevents to connect to such server with plain LDAP and simple bind. In contrast, LDAP integration using simple bind and LDAPS is still supported as the whole communication channel is protected by TLS (SSL).

    When method LDAPv3 SASL DIGEST-MD5 is configured, YSoft SafeQ can integrate with an LDAP server enforcing LDAP signing even if LDAPS is not used. In this case, password confidentiality and data integrity is enforced on the level of LDAP protocol. Also, the data is encrypted if the LDAP server supports it. However, it is still recommended to use LDAPS for higher security. Note that using the DIGEST-MD5 method together with LDAPS will fail if the LDAP server strictly enforces LDAP channel binding, which is not supported in this case.

    Limitations of using LDAPv3 SASL DIGEST-MD5 binding method

    Using the DIGEST-MD5 method has several limitations in contrast to simple bind (which is more universal):

    • IP address in the LDAP URL is not supported, only a domain name

    • The domain name in the LDAP URL must match a Service Principal Name (SPN) of the LDAP server, this may be an issue if DNS load balancing/failover is used (unless that DNS name is added as SPN to the end servers)

    • Default authentication realm (offered by the LDAP server) is used, there is no way to use a different realm, username must be unique globally

    • DIGEST-MD5 method with LDAPS does not support channel binding, it cannot be used if the server has registry LdapEnforceChannelBinding configured to value 2

    • The method has only been tested with Active Directory in the role of the LDAP server

    Troubleshooting

    YSoft SafeQ replicator logs

    javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C09023C, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563 ]

    Plain LDAP is used with simple bind to connect to a server requiring signing. Switch to LDAPS or change the bind method to DIGEST-MD5.

    YSoft SafeQ replicator logs

    javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 52e, v4563 ]

    Credentials are invalid. If DIGEST-MD5 method is used, check if format of the username is correct (it should be plain username with no prefixes or suffixes).

    YSoft SafeQ replicator logs

    javax.naming.AuthenticationException: [LDAP: error code 49 - 80090346: LdapErr: DSID-0C090569, comment: AcceptSecurityContext error, data 80090346, v4563 ]

    LDAP channel binding is required by the LDAP server. Use LDAPS with simple bind or plain LDAP with DIGEST-MD5 method.

    YSoft SafeQ replicator logs

    javax.naming.CommunicationException: <URL> [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

    LDAPS is configured but the certificate of the LDAP server is not trusted. Import the certificate authority correctly and select an appropriate method of certificate check. (This is actually an error in server authentication.)

    Advanced and Expert mode

    You can set up the replication process in 3 modes:

    • Basic

    • Advanced

    • Expert

    images/download/attachments/21955608/01-modes.png
    Each mode "unlocks" new tabs for the replicator settings. However, for majority of installations, the basic mode will be sufficient.

    For advanced and expert options please refer to LDAP Integration - Advanced and Expert settings.

    Running the replication

    Once you are finished with settings, you can save the LDAP replicator settings by pressing the Save button. Also, if you want to run the replication immediately, you can do so by pressing the Sync now button.

    Replication is always run by the cluster node designated by the ldapReplicatorClusterNodeId configuration option. The configuration option can be set to the ID of a cluster node that should run the replication. The default value is '-1' which means the replication is run by the first cluster node (the node with the lowest ID among all nodes in the cluster, running or not). LDAP replication is not executed if the designated node is not operational.