Hi guys,

I was trying hard to set-up DMC with authentication of domain users. The documentation is very weak and I'd like to share here my findings.

The customer is using Active Directory. Querying AD requires authentication and we have to use ldaps.

So I had to create a keystore for the root certificates of his own CA first:

keytool -importcert -keystore Config/MyTrustStore.p12 -storepass changeit -storetype pkcs12 -alias RootCA -file RootCA.pem -noprompt
keytool -importcert -keystore Config/MyTrustStore.p12 -storepass changeit -storetype pkcs12 -alias Sub1CA -file Sub1CA.pem -noprompt

I was using a simple (aka JRE default) password as there is no requirement to keep these certificates secure.

The TrustStore must be put into {dsmroot}/Config subdirectory.

On the second page I configured the bind user. I had to use the full distinguished name of this user and all the groups. I have simplyfied it in this graphic

On the third page the trick was to have the right base dn for users and groups and the right attribute types.

It really helped I found a way to use ldapsearch to verify my values. I used following syntax:

ldapsearch -H ldaps://ldapserver.domain.de:636 -x -D "cn=bindusr,ou=Admins,dc=domain,dc=de" -W -b "dc=domain,dc=de" -s sub -a always -z 100 "(memberOf=cn=MyDomain-DB-Admins,ou=SomeGroup,ou=Admins,dc=domain,dc=de)" "samAccountName"

Finally we can test this setting on the fourth page, as otherwise we will lock us out.

But just in case, you lock yourself out, you have to use the utility 

./dsutil/bin/enable_setup_admin.sh -u dmcadmin -p yourpassword

to be back in business again. Then you can easily reconfigure the LDAP setup. The setup is stored in the file {dsroot}/Config/ext_ldap_config_v2.json 

I experience an issue, where I had to stop the server, delete this file and start the server again to get the configuration possible again because it was so messed up!

This happened when I tried to configure also groups for Database Administrators and Database Users in a similar fashion. After I entered the details I was not able to verify a test user anymore.

You can check for low level errors in the file {dsroot}/logs/DS_System.0

Good luck with your configuration!  :-)

Roland!
All consultants are sad after your post - their income has been reduced ...
:-)

Hi guys,

I was trying hard to set-up DMC with authentication of domain users. The documentation is very weak and I'd like to share here my findings.

The customer is using Active Directory. Querying AD requires authentication and we have to use ldaps.

So I had to create a keystore for the root certificates of his own CA first:

keytool -importcert -keystore Config/MyTrustStore.p12 -storepass changeit -storetype pkcs12 -alias RootCA -file RootCA.pem -noprompt
keytool -importcert -keystore Config/MyTrustStore.p12 -storepass changeit -storetype pkcs12 -alias Sub1CA -file Sub1CA.pem -noprompt

I was using a simple (aka JRE default) password as there is no requirement to keep these certificates secure.

The TrustStore must be put into {dsmroot}/Config subdirectory.

On the second page I configured the bind user. I had to use the full distinguished name of this user and all the groups. I have simplyfied it in this graphic

On the third page the trick was to have the right base dn for users and groups and the right attribute types.

It really helped I found a way to use ldapsearch to verify my values. I used following syntax:

ldapsearch -H ldaps://ldapserver.domain.de:636 -x -D "cn=bindusr,ou=Admins,dc=domain,dc=de" -W -b "dc=domain,dc=de" -s sub -a always -z 100 "(memberOf=cn=MyDomain-DB-Admins,ou=SomeGroup,ou=Admins,dc=domain,dc=de)" "samAccountName"

Finally we can test this setting on the fourth page, as otherwise we will lock us out.

But just in case, you lock yourself out, you have to use the utility 

./dsutil/bin/enable_setup_admin.sh -u dmcadmin -p yourpassword

to be back in business again. Then you can easily reconfigure the LDAP setup. The setup is stored in the file {dsroot}/Config/ext_ldap_config_v2.json 

I experience an issue, where I had to stop the server, delete this file and start the server again to get the configuration possible again because it was so messed up!

This happened when I tried to configure also groups for Database Administrators and Database Users in a similar fashion. After I entered the details I was not able to verify a test user anymore.

You can check for low level errors in the file {dsroot}/logs/DS_System.0

Good luck with your configuration!  :-)