Skip to content

General Directory Setup

Jump to bottom Edit New page
skoranda edited this page Sep 1, 2016 · 6 revisions

PWM generally requires some changes to your directory server in order to function correctly. First of all, a number of attributes are used for storing PWM’s information like password history, questions and answers needed for password reset, last password change date and optionally some information like (external) email addresses or mobile phone numbers for SMS notifications. This requires changes to the schema.

Furthermore, a number of users and groups must be selected or setup to perform specific operations. Last but not least, the users need to get credentials and permissions in order to perform their tasks.

Secure LDAP Connection

Some directories only allow encrypted operations or require encryption for certain operations, like changing passwords. In these cases you need to connect PWM to the SSL port. This usually is 636 or alternatively 1636. PWM allows you to use a promiscuous connection, which means it will accept any server certificate, whether it is valid or not. That is useful in development and testing environments, but often unwanted in production environments. In a production environment, you would want PWM, or in fact java, to trust the LDAP server’s certificate. There are three scenario’s:

  1. You use a certificate issued by a generally recognized commercial certificate authority. The certificate of this authority should already be in the certificate database. If the server name in the LDAP URL is identical to the common name of the certificate, you’re done.

  2. You use a certificate issued by a private certificate authority, like from NetIQ iManager, Microsoft Active Directory or created using a tool like TinyCA. In this case the certificate(s) of that certificate authority need(s) to be imported into the java certificate database. See instructions below.

  3. You use a self signed certificate. In this case, the self signed certificate needs to be imported into the java certificate database. See instructions below.

In all cases you need to make sure that:

  • The certificate and the issuer certificates are still valid and have not expired.

  • The name in the LDAP URL is identical to the name or any of the alternate names of the certificate. For example connecting to ldaps://127.0.0.1:636 will probably fail, while connecting to ldaps://ldap.example.com:636 will succeed if the certificate name is ldap.example.com.

To import the CA certificate or self signed certificate into the certificate database, make sure you have it available in PEM format, also known as base64. Such a file looks like:

-----BEGIN CERTIFICATE-----
MIICATCCAWoCCQDZ4jvO0d1ljzANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB
VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0
cyBQdHkgTHRkMB4XDTExMTIxMzIwMjE1N1oXDTExMTIyMzIwMjE1N1owRTELMAkG
A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0
IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0OfL
xaoClmMttdEaa2Ig4htWL1AdCgOy8unDDc0qZvwlK3izXefc63jkbuJCyTU+CDHV
H9he2x2UV1NXUArlfWBDvUanGMu12LH05S+HsFerKwpvqnVfKfGdzrfxUpd1lhTU
cARtzJk5D3USXgqXZ7kwxyx6rr1KLmTG+96V9UECAwEAATANBgkqhkiG9w0BAQUF
AAOBgQBQGUzS1knVn/snjq75enUo95e47UJVQkJjQbSrAz7ZqUA5uvooLkAYh7gG
mqY9ECpXr8WM065+wFpyo97TEGr3W0uMCAaUQ9CloyKlOzrpBbdhqeuoh/Idq9EH
Ut7YDo9Oo+tLkebq9XuIsYJWiCSbHkPYpN5vBvVsLUUa50YsLA==
-----END CERTIFICATE-----

Now locate the certificate database. It is located in $JAVA_HOME/lib/security/cacerts, where $JAVA_HOME is the directory where java is installed. Now use keytool to import the file:

keytool -import -keystore $JAVA_HOME/lib/security/cacerts -file example.pem -alias ldap.example.com

The keytool will ask for a password, which is changeit by default. After importing the certificate, restart you application server.

Add a custom footer
Add a custom sidebar
Clone this wiki locally