From e077450593e1271e6c50e2e406f092aec5040af3 Mon Sep 17 00:00:00 2001
From: Mark Craig <mark.craig@forgerock.com>
Date: Wed, 21 Sep 2011 15:09:19 +0000
Subject: [PATCH] Added pass through to Active Directory, showing a bit more of PTA than before
---
opendj3/src/main/docbkx/admin-guide/chap-pta.xml | 163 +++++++++++++++++++++++++++++++++++++++++++++++++++---
1 files changed, 154 insertions(+), 9 deletions(-)
diff --git a/opendj3/src/main/docbkx/admin-guide/chap-pta.xml b/opendj3/src/main/docbkx/admin-guide/chap-pta.xml
index a7e7432..ce10f35 100644
--- a/opendj3/src/main/docbkx/admin-guide/chap-pta.xml
+++ b/opendj3/src/main/docbkx/admin-guide/chap-pta.xml
@@ -31,7 +31,7 @@
xmlns:xinclude='http://www.w3.org/2001/XInclude'>
<title>Configuring Pass Through Authentication</title>
- <para>This chapter focuses on pass through authentication, whereby you
+ <para>This chapter focuses on pass through authentication (PTA), whereby you
configure another server to determine the response to an authentication
request. A typical use case for pass through authentication involves
passing authentication through to Active Directory for users coming
@@ -108,14 +108,15 @@
<para>Make note of the host name used in the certificate.</para>
<para>You use the host name when configuring the SSL connection. With
OpenDJ, you can view the certificate details as shown here.</para>
- <screen>$ keytool -list -v -alias server-cert -keystore keystore -storepass `cat keystore.pin`
+ <screen>$ keytool -list -v -alias server-cert -keystore keystore
+ -storepass `cat keystore.pin`
Alias name: server-cert
Creation date: Sep 12, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
-Owner: CN=<emphasis role="strong">opendj.example.com</emphasis>, O=OpenDJ Self-Signed Certificate
-Issuer: CN=<emphasis role="strong">opendj.example.com</emphasis>, O=OpenDJ Self-Signed Certificate
+Owner: CN=<emphasis role="strong">pta-server.example.com</emphasis>, O=OpenDJ Self-Signed Certificate
+Issuer: CN=<emphasis role="strong">pta-server.example.com</emphasis>, O=OpenDJ Self-Signed Certificate
Serial number: 4e6dc429
Valid from: Mon Sep 12 10:34:49 CEST 2011 until: Wed Sep 11 10:34:49 CEST 2013
Certificate fingerprints:
@@ -126,12 +127,12 @@
</step>
<step>
<para>Import the authentication server certificate into OpenDJ's
- keystore.</para>
+ key store.</para>
<screen>$ cd /path/to/OpenDJ/config
$ keytool -importcert -alias pta-cert -keystore truststore
-storepass `cat keystore.pin` -file /tmp/pta-srv-cert.pem
-Owner: CN=opendj.example.com, O=OpenDJ Self-Signed Certificate
-Issuer: CN=opendj.example.com, O=OpenDJ Self-Signed Certificate
+Owner: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
+Issuer: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
Serial number: 4e6dc429
Valid from: Mon Sep 12 10:34:49 CEST 2011 until: Wed Sep 11 10:34:49 CEST 2013
Certificate fingerprints:
@@ -156,7 +157,7 @@
authentication to the authentication server.</para>
<screen>$ dsconfig -p 4444 -h `hostname` -D "cn=directory manager" -w password
create-password-policy --type ldap-pass-through --policy-name "PTA Policy"
- --set primary-remote-ldap-server:Mark-Craigs-MacBook-Pro.local:2636
+ --set primary-remote-ldap-server:pta-server.example.com:636
--set mapped-attribute:uid --set mapped-search-base-dn:"dc=PTA Server,dc=com"
--set mapping-policy:mapped-search --set use-ssl:true
--set trust-manager-provider:JKS -X -n</screen>
@@ -181,9 +182,153 @@
<procedure xml:id="configure-pta-to-ad">
<title>To Configure Pass Through Authentication To Active Directory</title>
+ <indexterm><primary>Authenticate to Active Directory</primary></indexterm>
+
+ <para>The steps below demonstrate setting up pass through authentication
+ to Active Directory. Here is some background to help you make sense of the
+ steps.</para>
+
+ <para>Entries on the OpenDJ side use <literal>uid</literal> as the naming
+ attribute, and entries also have <literal>cn</literal> attributes. Active
+ Directory entries use <literal>cn</literal> as the naming attribute.
+ User entries on both sides share the same <literal>cn</literal> values. The
+ mapping between entries therefore uses <literal>cn</literal>.</para>
+
+ <para>Consider the example where an OpenDJ account with <literal>cn=LDAP
+ PTA User</literal> and DN
+ <literal>uid=ldapptauser,ou=People,dc=example,dc=com</literal> corresponds
+ to an Active Directory account with DN <literal>CN=LDAP PTA
+ User,CN=Users,DC=internal,DC=forgerock,DC=com</literal>. The steps below
+ enable the user with <literal>cn=LDAP PTA User</literal> on OpenDJ
+ authenticate through to Active Directory.</para>
+
+ <screen>$ ldapsearch -h opendj.example.com -b dc=example,dc=com uid=ldapptauser cn
+dn: uid=ldapptauser,ou=People,dc=example,dc=com
+cn: LDAP PTA User
+
+$ ldapsearch -h ad.example.com -b "CN=Users,DC=internal,DC=forgerock,DC=com"
+ -D "cn=administrator,cn=Users,DC=internal,DC=forgerock,DC=com" -w password
+ "(cn=LDAP PTA User)" cn
+dn: CN=LDAP PTA User,CN=Users,DC=internal,DC=forgerock,DC=com
+cn: LDAP PTA User</screen>
+
+ <para>OpenDJ must map its
+ <literal>uid=ldapptauser,ou=People,dc=example,dc=com</literal> entry to the
+ Active Directory entry, <literal>CN=LDAP PTA
+ User,CN=Users,DC=internal,DC=forgerock,DC=com</literal>. In order to do the
+ mapping, OpenDJ has to perform a search for the user in Active Directory
+ using the <literal>cn</literal> value it recovers from its own entry for the
+ user. Active Directory does not allow anonymous searches, so part of the
+ authentication policy configuration consists of the administrator DN and
+ password OpenDJ uses to bind to Active Directory to be able to search.</para>
+
+ <para>Finally, before setting up the pass through authentication policy,
+ make sure OpenDJ can connect to Active Directory over a secure connection
+ to avoid sending passwords in the clear.</para>
<step>
- <para>TODO</para>
+ <para>Export the certificate from the Windows server.</para>
+ <substeps>
+ <step>
+ <para>Click start > All Programs > Administrative Tools >
+ Certification Authority, then right-click the CA and select
+ Properties.</para>
+ </step>
+ <step>
+ <para>In the General tab, select the certificate and click View
+ Certificate.</para>
+ </step>
+ <step>
+ <para>In the Certificate dialog, click the Details tab, then click
+ Copy to File...</para>
+ </step>
+ <step>
+ <para>Use the Certificate Export Wizard to export the certificate into
+ a file, such as <filename>windows.cer</filename>.</para>
+ </step>
+ </substeps>
+ </step>
+ <step>
+ <para>Copy the exported certificate to the system running OpenDJ.</para>
+ </step>
+ <step>
+ <para>Import the server certificate into OpenDJ's key store.</para>
+ <screen>$ cd /path/to/OpenDJ/config
+$ keytool -importcert -alias ad-cert -keystore truststore
+ -storepass `cat keystore.pin` -file ~/Downloads/windows.cer
+Owner: CN=internal-ACTIVEDIRECTORY-CA, DC=internal, DC=forgerock, DC=com
+Issuer: CN=internal-ACTIVEDIRECTORY-CA, DC=internal, DC=forgerock, DC=com
+Serial number: 587465257200a7b14a6976cb47916b32
+Valid from: Tue Sep 20 11:14:24 CEST 2011 until: Tue Sep 20 11:24:23 CEST 2016
+Certificate fingerprints:
+ MD5: A3:D6:F1:8D:0D:F9:9C:76:00:BC:84:8A:14:55:28:38
+ SHA1: 0F:BD:45:E6:21:DF:BD:6A:CA:8A:7C:1D:F9:DA:A1:8E:8A:0D:A4:BF
+ Signature algorithm name: SHA1withRSA
+ Version: 3
+
+Extensions:
+
+#1: ObjectId: 2.5.29.19 Criticality=true
+BasicConstraints:[
+ CA:true
+ PathLen:2147483647
+]
+
+#2: ObjectId: 2.5.29.15 Criticality=false
+KeyUsage [
+ DigitalSignature
+ Key_CertSign
+ Crl_Sign
+]
+
+#3: ObjectId: 2.5.29.14 Criticality=false
+SubjectKeyIdentifier [
+KeyIdentifier [
+0000: A3 3E C0 E3 B2 76 15 DC 97 D0 B3 C0 2E 77 8A 11 .>...v.......w..
+0010: 24 62 70 0A $bp.
+]
+]
+
+#4: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
+
+Trust this certificate? [no]: yes
+Certificate was added to keystore</screen>
+ <para>At this point OpenDJ can connect to Active Directory over SSL.</para>
+ </step>
+ <step>
+ <para>Set up an authentication policy for OpenDJ users to authenticate
+ to Active Directory.</para>
+ <screen>$ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password
+ create-password-policy --type ldap-pass-through --policy-name "AD PTA Policy"
+ --set primary-remote-ldap-server:ad.example.com:636 --set mapped-attribute:cn
+ --set mapped-search-base-dn:"CN=Users,DC=internal,DC=forgerock,DC=com"
+ --set mapped-search-bind-dn:"cn=administrator,cn=Users,DC=internal,DC=forgerock
+ ,DC=com" --set mapped-search-bind-password:password
+ --set mapping-policy:mapped-search
+ --set trust-manager-provider:JKS --set use-ssl:true -X -n</screen>
+ </step>
+ <step>
+ <para>Assign the authentication policy to a test user.</para>
+ <screen>$ ldapmodify -p 1389 -D "cn=Directory Manager" -w password
+dn: uid=ldapptauser,ou=People,dc=example,dc=com
+changetype: modify
+add: ds-pwp-password-policy-dn
+ds-pwp-password-policy-dn: cn=AD PTA Policy,cn=Password Policies,cn=config
+
+Processing MODIFY request for uid=ldapptauser,ou=People,dc=example,dc=com
+MODIFY operation successful for DN uid=ldapptauser,ou=People,dc=example,dc=com</screen>
+ </step>
+ <step>
+ <para>Check that the user can bind using pass through authentication to
+ Active Directory.</para>
+ <screen>$ ldapsearch -h opendj.example.com -p 1389 -b dc=example,dc=com
+ -D uid=ldapptauser,ou=People,dc=example,dc=com -w password
+ "(cn=LDAP PTA User)" userpassword cn
+dn: uid=ldapptauser,ou=People,dc=example,dc=com
+cn: LDAP PTA User</screen>
+ <para>Notice that to complete the search, the user authenticated with a
+ password to Active Directory, though no <literal>userpassword</literal>
+ value is present on the entry on the OpenDJ side.</para>
</step>
</procedure>
</section>
--
Gitblit v1.10.0