Home » Support » Documentation » Installation » Integration with an LDAP Server

Integration with an LDAP Server

1. LDAP Integration

1. 1.1) Create a user in your LDAP server with permissions to search the LDAP directory. For example, this user could be called ‘asset-bank-app’.
2. 1.2) Open the settings file ([tomcat]/asset-bank/WEB-INF/classes/ApplicationSettings.properties)
3. 1.3) Look for the section which starts with the comment ‘Active Directory Settings’
4. 1.4) Change the settings according to your needs. In particular, you need to ensure that:
   suspend-ad-authentication=false
   exchange-synchronise-period-millis=14400000 [or whatever period you want)
   The property ‘ad-ldap-server-url’ needs to be ldap:// followed by the IP address (or domain name) of your LDAP server.
   The property ‘ad-ldap-base-list’ needs to be the Distinguished Name of the node in the LDAP tree at which you want to start searching for users.
   The property ‘ad-wms-user-distinguished-name’ and ‘ad-wms-user-password’ should be changed to match the details of the user you created in the LDAP server in step 1.
5. 1.5) If you have more than one LDAP server (for example for backup purposes) then you can add details of these in the sections commented ‘LDAP Server 2’, ‘LDAP Server 3’, etc. The comments and examples in the settings file explain how to do this.
6. 1.6) To integrate Asset Bank with an LDAP server that requires SSL access, you need to:
   • a) Change the protocol in the ‘ad-ldap-server-url’ property from ldap:// to ldaps://
   • b) Import the server's certificate into the keystore of the JRE, as follows:
     
     • Make sure you are a user with permission to change files in [java]/jre/lib/security – on Windows this probably means being an administrator.
     • cd into [java]/jre/lib/security : where [java]/jre is the JRE you are using to run Tomcat (you may need to check which JRE Tomcat is using).
     • Make sure you know the path to the cert file [called cert.crt in the command below].
     • Type the following command: keytool -import -keystore jssecacerts -file [/path-to-cert/cert.crt]. Note 1: keytool needs to be in the PATH for this to work – otherwise, type the full path e.g. [java]/jre/bin/keystore. Note 2: the default Java keystore password is 'changeit'.
     • Check that the keystore ‘jssecacerts’ exists and that the cert has been imported into it – the previous command should have created it if it didn’t exist already. Each keystore is stored as a file in the ‘security’ directory, i.e. a file called ‘jssecacerts’ should now exist in [java]/jre/lib/security. You can list the certs in the jssecacerts keystore with this command: keytool -list -keystore jssecacerts. If the cert has not been imported for some reason we advise using JXplorer to troubleshoot (see below).
   For more information on integrating with an LDAP server that requires SSL, see: http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html
7. 7) When you have finished changing ApplicationSettings.properties you will need to restart the webapp (or Tomcat) for the changes to take effect. Asset Bank will do its first synchronisation with the LDAP server approximately one minute after it has started up (and then regularly, depending on the setting ‘exchange-synchronise-period-millis’). Depending on the number of users in your LDAP server the initial synchronisation may take some time. Once it has finished you should see the users in the Users section of Admin.

2. Troubleshooting

Please see our knowledgebase article on troubleshooting LDAP integration.