LDAP Configuration

DATPROF Runtime provides the ability to import LDAP users and use them for authentication.

The configuration for the LDAP integration can be found in the users page of the runtime toolbar.

The properties can be saved here and DATPROF Runtime provides a way to validate the imported users before synchronization. After synchronization, any imported users

will be able to log in to DATPROF Runtime by using their ldap username or email, and LDAP password.

The users will be periodically synchronized with the LDAP directory so usernames and user details are always in sync. The synchronisation interval is configurable from this page as well.

(Important: The runtime instance should be restarted for the new synchronisation interval to take effect, the other configuration options can be changed on the fly)

Configuration

This section will explain the different configuration options for setting up a successful ldap integration

LDAP url

This is the main url pointing to your running LDAP server. the format should be "ldap://{url}:{port}"

LDAP base

This is the base dn which is the point from which the server will look for users. the base is prepended to the authentication base and the user search base.

LDAP username

The LDAP user username used to login to the LDAP server. This does not need to be an admin account. Simple read privileges are sufficient.

LDAP password

The LDAP user password.

LDAP authentication base

This is the base dn which is used for user authentication.

LDAP user search base

This is base dn which is used for finding users.

LDAP user filter

This is the filter that can be used to further filter users on specific properties.

The following link can be used for more information on how to configure this filter.

LDAP Search filter cheat sheet

LDAP synchronization interval in minutes

This configuration option contains the interval that the DATPROF Runtime server uses to synchronize the LDAP users with the local database. (important: changing this value requires a restart for the changes to take effect)

Test filter

The test filter button can be used to test the given ldap configuration. It will attempt to connect with the provided connection details and retrieve a list of users using the user search base and user search filter.

Using LDAP over SSL

LDAP over SSL is supported, but without configuration Runtime will return the following error:

[Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

In order to use secure LDAP, you will need to import the certificate used for SSL into your JRE cacerts file. This file can be found in your runtime installation under runtime\jdk\lib\security. Copy your SSL certificate to this folder.

extending our path to include the keytool

## By default, the keytool is not a part of PATH. We will need to add it. 

set path=%path%;<your file explorer's path to the runtime folder>\jdk\bin

example: 
set path=%path%;C:\Users\yoeri\Documents\DATPROF\Runtime\runtime-4.3.0\jdk\bin

CODE

Now that we can use the keytool, let's make the security folder our active directory.

Moving our current directory

cd <your system path to the Runtime security folder> 

example:

cd C:\Users\yoeri\Documents\DATPROF\Runtime\runtime-4.3.0\jdk\lib\security

CODE

You can use the cacerts file to store your certificates.

The cacerts file is protected by a password. The default password of the cacerts file is changeit. You should change this password into you own.

Changing the keystore password

keytool -storepasswd -keystore cacerts
Enter keystore password:  changeit
New keystore password:  new-password
Re-enter new keystore password:  new-password

BASH

Now, let's list the contents of our cacerts file.

Listing existing cacerts content

keytool -list -v -keystore cacerts

enter keystore password:new-password

CODE

You should now see a large amount of text print. These are all the existing certificates in cacerts. Now, we'll add our certificate.

Importing our certificate into cacerts

keytool -import -alias <the name of your certificate without its file extension> -keystore cacerts -file <the full file name of your certificate + extension>

example:

keytool -import -alias certificate -keystore cacerts -file certificate.crt

>Trust this certificate? [no]: yes
Certificate was added to keystore

Alternatively you can store your certificate elsewhere and supply a system path to this location for the -file command.

CODE

After this has been done, and your LDAP settings in Runtime have been adjusted to the right connection strings, LDAP over SSL will work. Restart Runtime to load your changes.

Don't forget to change your LDAP port to 636 (the default SSL port), and to change the LDAP url in your Runtime configuration to start with ldaps:// instead of ldap://