Enable LDAPS Authentication with Active Directory on Swarm Gateway

Export Root CA from Active Directory Server

1. Log into the Active Directory domain server as a Domain Administrator:

   1. Open the CA Microsoft Management Console (MMC) GUI from Start → Windows Administrative Tools → Certificate Authority

      Open

      

   2. Right-click on the CA Server and select Properties:

      Open

      

   3. Select View Certificate from the General menu:

       

   4. Select Details followed by Copy to File…:

       

   5. Use the Certificate Export Wizard to save the CA certificate file:

   6. Select Next followed by Base-64 encoded X.509 (.CER):

   7. Select Browse to select the path where the root-CA is saved:

   8. Select Next.

Install the Root CA on Swarm Content Gateway

1. Copy the root-CA (acme-ca-bundle.crt) to the following location on all Swarm Content Gateway servers:

   /etc/pki/ca-trust/source/anchors/acme-ca-bundle.crt

2. Run the following command on each Swarm Content Gateway server:

   update-ca-trust

3. Restart the Swarm Content Gateway Services on each Swarm Content Gateway:

   systemctl restart cloudgateway

Test LDAPS connection from Swarm Content Gateway

1. Download the acert certificate verification utility to each Swarm Content Gateway server and verify the file against the SHA-256 checksums listed on the Duo Certification Verification Utility website:

2. Verify all Swarm Content Gateway servers can reach the Active Directory server using tools such as ping, traceroute, or equivalent).

3. Run the following command to verify the LDAPS certificate:

Or test using curl command line result with Connected

Output:

Configure LDAPS on Swarm Content Gateway

1. Create a User account that can log in to Active Directory with read only access to LDAP/LDAPS.

2. Refer to https://perifery.atlassian.net/wiki/spaces/public/pages/2443816826/IDSYS+Document+Format#LDAP-and-AD-Fields to configure gateway authentication with Active Directory LDAP.

3. Change the protocol

   1. Protocol: ldap ➔ ldaps

   2. ldapPort: 389 ➔ 636

4. Use the LDAPS/AD credentials to log in to the Content Gateway portal (UIC).

5. In case the test login to the Swarm Content Gateway UI fails:
   
   

6. Verify errors by Request ID in /var/log/caringo/cloudgateway_server.log and follow the troubleshooting steps in https://perifery.atlassian.net/wiki/spaces/public/pages/2443817241 .

   Sample certificate error:
   2023-04-07 09:39:18,309 ERROR [qtp1357686726-9493|BC005B3EB68626F8] LDAPIdsys: Unable to connect to identity system ldaps://ad01.acme.internal:636 as ldapUser@acme.internal: javax.naming.CommunicationException: simple bind failed: ad01.acme.internal:636 [Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

The configuration for LDAPS/AD integration should be complete if no errors occur.