There are 2 methods to resolve this issue:
Method 1:
Change the policy "
Domain controller: LDAP server signing requirements" on the Domain Controllers to "
None" which will set the LDAP Data signing to not require in order to bind with the server. However, if the client requests data signing, the server supports it.
Setting this policy to "
none" will also change the following registry setting on all DCs:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity=1 (Note: This is the default setting)
Once this setting is changed on the DC, the ESP server should allow unsecured LDAP Authentication and the process in KB2441205 will allow authentication against Active Directory from the ESP Administrator.
Method 2:
Configure the ESP Adminserver process to bind securely with the LDAP server hosted by the Windows Domain Controller.
In order to accomplish this the following steps must be completed:
1. Obtain the Domain Controllers Self-Signed SSL Server Certificate.
Note: One can refer to the Windows security group to obtain the required certificate.
2. Once the appropriate certificate is obtained, one must install the certificate in the "
Trusted Root Certification Authorities" Container on the FAST ESP Server.
3. Test the secure LDAP connection from the ESP Server using
LDP.EXE.See the following to obtain more information on obtaining and utilizing
LDP.EXE:
Ldp Overview
http://technet.microsoft.com/en-us/library/cc772839(WS.10).aspx4. Launch
LDP.EXE from the FAST ESP Admin Server.
5. Choose "
Connection" from the file menu.
6. Choose "
Connect" from the drop down menu.
7. Type the name of the DC with which to establish a connection.
8. Change the port number to
636. Note: 636 is the secure LDAP port (LDAPS)
9. Choose the checkbox "
SSL" to enable an SSL connection.
10. Click "
ok" to test the connection.
11. If successful, a secure LDAPS connection is established to the DC and validates the certificate that was installed in step 2.
12. At this point the Root CA SSL Certificate that was obtained in step 1, must be installed into the
JAVA Key Store to ensure that the JAVA based ESP Adminserver component will be able to successfully establish a secure LDAP connection to the DC.
This step can be accomplished by using
keytool that is shipped with JAVA:
Example:
$JAVA_HOME/bin/keytool -import -alias root -keystore $JAVA_HOME/lib/security/cacerts -trustcacerts -file <path-to-ssl-certificate>/ldap-server.cer
Note: The certificate is added to the default JVM truststore
$JAVA_HOME/lib/security/cacerts, and added with the alias
'root'.
<path-to-ssl-certificate>/ldap-server.cer refers to the SSL certificate which the JVM client uses to trust the LDAP server.
See the following Information for assistance with this process:Importing a Certificate for the CA:
http://download.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html
13. Once the DC Root Cert is successfully imported into he Java Keystore, open and edit the login.conf file in path:
%FASTSEARCH%\adminserver\webapps\adminserver\WEB-INF\login.conf
14. Modify the existing entry:
LDAP {
no.fast.vespa.security.auth.JaasLdapProvider required
providerURL="ldaps://gc1.contoso.com:636 "
principalFormat="{0}@contoso.coml (@contoso.coml) ";
Where
ldaps://gc1.contoso.com:636 is the full LDAP URL to company’s LDAP server, and where
@contoso.com is a common part of all user names.
Note: The difference in this setting compared with KB2441205 is the LDAP URL is being changed to "
ldaps" and port "
636" which is required to establish a secure ldap connection.
15. Edit the file
%FASTSEARCH%\adminserver\webapps\adminserver\WEB-INF\classes\esp4j-security-context.xml.
16. Change the loginContextname property to
LDAP on the bean with id id="
jaasAuthenticatorTarget".
Note: The property specifies which login context to use. Changing this setting to LDAP will activate the login context specified in WEB-INF\login.conf.
Example:
<bean id="jaasAuthenticatorTarget" class="no.fast.vespa.security.auth.JaasAuthenticator">
<property name="loginConfig">
<value>/WEB-INF/login.conf</value>
</property>
<property name="loginContextName">
<value>LDAP</value>
</property>
<property name="callbackHandlers">
<list>
<bean class="net.sf.acegisecurity.providers.jaas.JaasNameCallbackHandler"/>
<bean class="net.sf.acegisecurity.providers.jaas.JaasPasswordCallbackHandler"/>
</list>
</property>
</bean>
17. Restart Adminserver:
nctrl stop adminserver
nctrl start adminserver
18. Login to the admin node and navigate to FAST Home > User Administration > Create Users & Groups.
19. Create a user with the same name as the Windows user that requires access rights to ESP.
20. Select “
This user will be authenticated by an external management system”.21. Give this user rights in ESP, for example, choose “
may create and delete users and groups (admin)":
Note: If one chooses to authenticate a user by an external user management system, the User Name field must match the user login of the external user management system (AD User account in this case). It is not required to fill in the e-mail and password fields for users authenticated through an external user management system.
22. Once these changes are made, one can log into the ESP admin console with mapped external accounts that are maintained in the Windows Domain.