LDAPS Authentication Configuration Guide

Prerequisites

• SSL must already be installed.
• Must have an LDAPS server installed, started, and accessible from the machine with Innoslate installed.
• Must allow Innoslate to communicate through your firewall with your LDAPS server on the server’s configured communication port.
• Must provide authorization information of a technical user or admin of the LDAPS server or allow anonymous binds by enabling anonymous access to your LDAPS server to enable Innoslate to perform search queries on the directory.
• Find the settings.properties file within the drive Innoslate is installed on with this file path: C:\Innoslate4\apache-tomcat-8.5.30\webapps\innoslate4\WEB-INF
• Innoslate’s LDAPS authentication will not support LDAPS configurations with multiple OUs. We highly suggest in this situation to move the Innoslate users all to one OU for this authentication type.
• Innoslate’s LDAPS authentication will not support LDAPS configurations with OUs configured as a hierarchy.

Section 1: Installing Active Directory, DNS, and DHCP

Procedure

1. From the Start menu, open Server Manager.
2. Select Add roles and features to launch the wizard.
3. On the Before You Begin page, click Next.
4. On the Select Installation Type page:
   • Ensure Role-based or feature-based installation is selected.
   • Click Next.
5. On the Select Destination Server page:
   • Ensure Select a server from the server pool is selected.
   • Click Next.
6. On the Server Roles page:
   • Install the following roles:
     • Active Directory Domain Services
     • DHCP Server
     • DNS Server
   • Click Next.
7. Proceed through the following pages by clicking Next:
   • Features
   • AD DS
   • DHCP Server
   • DNS Server
   • Confirmation
8. On the Results page, click Install.
9. After installation, select Promote this server to a domain controller.
10. In the Deployment Configuration window:
    • Select Add a new forest.
    • Enter a Root domain name ending in .com (e.g., innoslate.com).
    • Click Next.
11. On the Domain Controller Options page:
    • Set the Forest functional level and Domain functional level to match your Windows Server version.
    • Enter a Directory Services Restore Mode (DSRM) password.
    • Click Next.
12. On the DNS Options page, click Next.
13. On the Additional Options page:
    • Verify the NetBIOS domain name.
    • Click Next.
14. On the Paths page, click Next.
15. On the Review Options page:
    • Confirm your selections.
    • Click Next.
16. On the Prerequisites Check page:
    • Wait for the checks to complete.
    • Verify the message: "All prerequisite checks passed successfully."
    • Click Install.
17. After installation completes, the server will reboot.

Section 2: Configuring Active Directory Users

Procedure

1. In Server Manager, navigate to Tools > Active Directory Administrative Center.
2. Under Users, select New > User.
3. Configure the new user:
   • Enter First Name, Last Name, and User SamAccountName.
   • Set a Password.
   • Check Password never expires.
   • Fill in other applicable fields.
4. Click OK.
5. Create an Innoslate Admin user for LDAPS compatibility:
   • Repeat steps 2–4 to create the user (e.g., "Admin Innoslate").
6. Double-click the Admin user to open the User Information page.
7. Scroll to Extensions and select the Attribute Editor tab.
8. Locate and copy the distinguishedName (e.g., CN=Admin Innoslate,CN=Users,DC=innoslate,DC=com).
9. Update the settings.ini file on the Innoslate server:
   • Set LDAP_SECURITY_PRINCIPAL to the distinguishedName.
   • Set LDAP_SECURITY_CREDENTIALS to the Admin user’s password.
   • Set LDAP_USER_CONTEXT to the portion of the distinguishedName after the first comma (e.g., CN=Users,DC=innoslate,DC=com).

Reference

For additional LDAP configuration details, see:
Enabling LDAP SSL in Windows 2012.

Section 3: Installing Active Directory Certificate Services

Procedure

1. In Server Manager, select Add roles and features.
2. Click Next until the Server Roles page appears.
3. Ensure Active Directory Certificate Services is selected.
4. Click Next until the Confirmation page, then click Install.
5. After installation:
   • In Server Manager, locate the new AD CS role block.
   • Click Configure Active Directory Certificate Services on the destination server.
6. On the Credentials page, click Next.
7. On the Role Services page:
   • Ensure Certification Authority is selected.
   • Click Next.
8. On the Setup Type page:
   • Select Enterprise CA.
   • Click Next.
9. On the CA Type page:
   • Select Root CA.
   • Click Next.
10. On the Private Key page:
    • Select Create a new private key.
    • Click Next.
11. On the Cryptography for CA page, click Next.
12. On the CA Name page:
    • Specify a name for the CA.
    • Click Next.
13. On the Validity Period page:
    • Set the expiration period for the CA.
    • Click Next.
14. On the CA Database page:
    • Select the database location.
    • Click Next.
15. On the Confirmation page:
    • Review the settings.
    • Click Configure.
16. On the Results page, verify Configuration succeeded, then click Close.
17. On the Installation page, click Close.
18. Reboot the server to obtain the certificate.

Section 4: Configuring Firewall Ports

Windows Firewall

1. Open Windows Firewall settings.
2. Create an inbound rule:

   • Select Port > TCP > Specific local ports: 389, 636.

   • Allow the connection.

   • Apply the rule to all profiles.

   • Name the rule (e.g., "LDAPS").

   • Click Finish.

AWS Firewall (if applicable)

1. Log in to the AWS Management Console.
2. Navigate to the EC2 instance.
3. In the Description tab, click the linked Security group.
4. Select Edit inbound rules.
5. Add a new rule:
   • Type: LDAP
   • Protocol: TCP
   • Port Range: 636
6. Click Save.

Section 5: Enabling Secure LDAP (LDAPS)

Procedure

1. From the Start menu, type MMC and press Enter.
2. Go to File > Add/Remove Snap-in.
3. In Available snap-ins, select Certificates and click Add.
4. On the Certificates snap-in page:
   • Select Computer account.
   • Click Next.
5. On the Select Computer page:
   
   • Select Local Computer.
   • Click Finish.
   • Click OK.
6. Expand Console Root > Certificates (Local Computer) > Personal.
7. Right-click Personal, then select All Tasks > Request New Certificate.
8. On the Certificate Enrollment page, click Next.
9. Ensure Active Directory Enrollment Policy is selected, then click Next.
10. Select Domain Controller Authentication.
11. Click Enroll.
12. Open the Certificates folder, double-click the new certificate.
13. Under the Details tab:
    • Verify Enhanced Key Usage includes Server Authentication (1.3.6.1.5.5.7.3.1).

Section 6: Loading Certificate onto Innoslate Server

Procedure

1. In Certificates (Local Computer) > Personal > Certificates, right-click the certificate and select All Tasks > Export.

2. In the Certificate Export Wizard:

   • Select No, do not export the private key.

   • Click Next.

3. Choose DER encoded binary X.509 (.CER), then click Next.

4. Save the certificate file to a location using the Browse button.

5. Copy the exported .cer file to the Innoslate server’s Java directory (e.g., C:\Program Files\Java\JAVA_VERSION\lib\security).

6. Open a Command Prompt in Administrator mode.

7. Run the following command to import the certificate into the Java keystore:

   keytool" -import -alias ca -file "C:\path\to\CERT_HERE.cer" -keystore cacerts -storepass PASSWORD_HERE

8. Type yes when prompted and press Enter.

9. Copy the updated cacerts file to the Innoslate directory (e.g., C:\Innoslate4\apache-tomcat-8.5.30\webapps\innoslate4\WEB-INF).

10. Update the TRUSTSTORE_PATH property in settings.properties to point to the cacerts file path.

11. Restart the Innoslate service.

Section 7: Testing LDAPS

• Use Ldp.exe to test LDAPS connectivity over port 636.
  Note: This will not work if run on the same server as the domain controller.

Section 8: LDAPS Configuration Glossary

This glossary outlines the settings.properties configuration options for LDAPS, using the root domain name innoslate.com as an example.

LDAP_INITIAL_CONTEXT_FACTORY = Key
com.sun.jndi.ldap.LdapCtxFactory = Ldap context factory

LDAP_PROVIDER_URLS = Key
ldap://ldap_url:389 = Ldap provider url

LDAP_SECURITY_AUTHENTICATION = simple = The type of Ldap security 

LDAP_SECURITY_PRINCIPAL = Key
CN=Admin Innoslate,CN=Users,DC=innoslateactive,DC=com = The Ldap security principal

LDAP_SECURITY_CREDENTIALS = Key
Ldap_password = The Ldap user password

LDAP_USER_CONTEXT = Key
CN=Users,DC=innoslateactive,DC=com = The Ldap user context

LDAP_USER_OBJECT_CLASS = Key
User = The Ldap user object class

LDAP_USER_UID_ATTRIBUTE = Key
sAMAccountName = The user attribute that Ldap will search for username within Innoslate

AUTHENTICATION_TYPE = LDAP = Authentication Type

LDAP_CONNECT_TIMEOUT = Key
1000 = The Ldap connection timeout in milliseconds

LDAP_READ_TIMEOUT = Key
5000 = The Ldap read timeout in milliseconds

LDAP_USER_EMAIL_ATTRIBUTE = Key
Mail = The Ldap user email attribute name

LDAP_USER_FIRST_NAME_ATTRIBUTE = Key
givenName = The Ldap user first name attribute name

LDAP_USER_LAST_NAME_ATTRIBUTE = Key
Sn = The Ldap user last name attribute name

LDAP_USER_PHONE_NUMBER_ATTRIBUTE = Key
telephoneNumber = The Ldap user phone number attribute name

LDAP_USER_COMPANY_ATTRIBUTE = Key
Company = The Ldap user company attribute name

LDAP_USER_SEARCH_FILTER = Key
(&(objectClass=user)(sAMAccountName={0})(!(userAccountControl:1.2.840.113556.1.4.803:=2))) = The Ldap user search filter for finding Innoslate users.

TRUSTSTORE_PATH = Key C:\\Innoslate4\\apache-tomcat-8.5.30\\webapps\\innoslate4\\WEB-INF\\cacerts  The path where the Trust Store is located.