Configuring the Identity Manager driver for Active Directory with SSL



This article describes the steps required in order to install the remote loader and the AD driver on a Member Server instead of on the Domain Controller. SSL is required for some operations like Password Sync, so a Certificate must be installed on the DC to allow for LDAP over SSL (LDAPS).

This article is intended for Novell Identity Manager 2.01 on any platform, and Windows/AD 2003.

First, you need a CA (Certificate Authority) that can provide a Certificate for the domain controller (DC). Several options are available, and you can install Microsoft Certificate Service on the DC or on another Windows 2003 server. The easiest way is to install it on the DC, which needs LDAPS. If you decide to install it on a separate server, or use another CA like Novell eDirectory, Entrust or Verisign, you can look at the following documentation on Creating, Exporting, and Importing Certificates:
Also recommended is the Microsoft Knowledge Base Article 321051, How to Enable LDAP over SSL with a Third-Party Certificate Authority.

You can also use the web console for Microsoft Certificate Services in order to generate a certificate. See http://ca_address/certsrv, where <ca_address> is the IP address of your certificate server used to access the Certificate Management Console.


1. Use MMC and add the certificate snap-in for the local computer to check if the certificate is installed properly after the DC has been restarted.

Figure 1: Certificate snap-in for MMC, showing the certificates on the DC

2. Use ldp.exe, part of the Windows 2003 tools (under Support on the CD), to check if LDAPS is operational.

Figure 2: ldp.exe from the Support Tools - Microsoft's LDAP browser

3. Set the Connect parameters as shown below.

Figure 3: Setting the Connect parameters

4. You should be able to connect anonymously if you are on the DC.

Figure 4: Connecting anonymously from the DC

5. On another machine like the Member Server, a bind may be required.

Figure 5: Bind parameters

6. After a bind, you should be able to select View/Tree and browse the tree.

Figure 6: View/Tree

7. From the Member Server, access the Web Console for Certificate Services.

8. Select Download a CA certificate, certificate chain, or CRL.

Figure 7: Selecting the download

9. Select Base 64 and then Download CA certificate chain.

Figure 8: Downloading the CA certificate chain

10. Save the file on disk.

Figure 9: Saving the file

11. Double-click the certificates file.

Figure 10: Selecting the certificates file

The file should contain 2 certificates, one for the CA, and one for the DC. It may contain more certificates.

12. Double-click the certificate for the CA first, then for the DC.

Figure 11: Selecting the CA and DC certificates

13. Click Install Certificate.

Figure 12: Installing the certificate

This CA should be OK/trusted. The Member Server needs access to the internet for validation, otherwise you will see errors in the Event Viewer under Application.

Figure 13: Trusted/OK certificate

14. Install the certificate for the DC.

Figure 14: Installing the certificate for the DC

This certificate should be OK as well.

Figure 15: Trusted/OK certificate

15. Open MMC to be able to add the certificate snap-ins.

Figure 16: MMC

16. Add the snap-ins as shown below.

Figure 17: Adding the snap-ins

You should be able to find the CA certificate under Current User.

Figure 18: CA certificate under Current User

You should also be able to see the certificates for the Servers or DC as well.

Figure 19: Certificates for the Servers or DC

17. Copy and Paste the certificates under Service (DirXML Loader).

Figure 20: Certificates under Service (DirXML Loader)

Figure 21: Certificates under Service (DirXML Loader) - continued

18. Set the parameters for the AD Driver similar to these:

Figure 22: Authentication parameter settings for the AD Driver

Figure 23: Driver setting parameters for the AD Driver

19. On the Member Server, add an item that corresponds to the authentication context for resolving the DC.

Figure 24: Item for authentication context for resolving the DC

You should be able to ping to this address.

Figure 25: Pinging to the authentication address

20. Bring the driver up, and chances are you will get an error message (DSTrace) 81 LDAP_SERVER_DOWN, because of the SSL session. You can see the details in Event Viewer on the Member Server.

Figure 26: LDAP_SERVER_DOWN details in Event Viewer on the Member Server

The SSL session is refused because there is a mismatch between the subject name in the certificate (win2003.AD2003.NOVL.CA) and the Authentication Context value(win2003) in this example. If there is a difference, you must change the Authentication Context value and update the hosts file for the Member Server if required.

Figure 27: SSL session refused

Once you gone through these steps, you should be able to successfully run your driver. Keep an eye on Event Viewer if you are experiencing issues like error 81 LDAP_SERVER_DOWN.

The procedure may be different if the configuration is not the same, but these steps should be helpful in order to figure out where to look and what to fix for specific issues.


How To-Best Practice
Comment List