How to Enable Pulse Authentication with LDAP over SSL (LDAPS)
search cancel

How to Enable Pulse Authentication with LDAP over SSL (LDAPS)

book

Article ID: 294157

calendar_today

Updated On:

Products

VMware Tanzu Gemfire

Issue/Introduction

This document explains how to enable SSL for OpenLDAP server, and how to enable Pulse Authentication with LDAP over SSL (LDAPS).

Prerequisites 

1. You have setup Open LDAP or other Directory Service successfully.

2. You have setup GemFire with Pulse successfully.

3. In this case, we use OpenSSL to generate trustore and keyfile, so you also need to install OpenSSL.


Environment


Resolution

The process of configuring SSL/TLS for OpenLDAP server is as follows:
  • Create the self-signed certificate with a public key in PEM format (X.509v3 which contains Base64 encoding) and private key file, as shown in example below:
[root@centos7v64 cn=config]# openssl req -new -x509 -nodes -out /etc/pki/tls/certs/myexampleldap.pem -keyout /etc/pki/tls/certs/myexampleldapkey.pem -days 365
Provide your company details to generate the certificate as below.
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Tokyo
Organization Name (eg, company) [Default Company Ltd]:Myexample
Organizational Unit Name (eg, section) []:GSS
Common Name (eg, your name or your server's hostname) []:centos7v64.myexample.com
Email Address []:[email protected]

Configure olcTLSCertificateFile and olcTLSCertificateKeyFile for OpenLDAP server.

Go to

cn=config directory under /etc/openldap/slapd.d/

And, edit the

"olcDatabase={2}hdb.ldif"

adding

olcTLSCertificateFile/olcTLSCertificateKeyFile.

[root@linux1 ~]# cd /etc/openldap/slapd.d/cn=config
[root@linux1 cn=config]# vi olcDatabase={2}hdb.ldif

olcTLSCertificateFile: /etc/pki/tls/certs/myexampleldap.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/myexampleldapkey.pem
  • Enable LDAP SSL Port (default is 636) and restart the OpenLDAP server to apply the change. 
    [root@dlp ~]# vi /etc/sysconfig/slapd
# line 9: add Server Port Option
SLAPD_URLS="ldapi:/// ldap:/// ldaps:///

[root@dlp ~]# systemctl restart slapd

Note: You can use Apache Directory Studio to create an LDAPS connection to verify whether the above setting is working or not.

Enable Pulse Authentication with LDAPS (Pulse running embedded mode).

  • Create a directory in which you will store the LDAP authentication configuration which will be provided as a parameter when starting the locator running Pulse. For example: 
    $ mkdir /home/apps/pulse-config
  • Create a file named pulse-authentication-custom.xml with contents similar to the following and place it under the directory (pulse-config) you created in step 1. For example: 
    <beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.2.xsd">

<ldap-server url="ldaps://centos7v64.myexample.com:636/dc=myexample,dc=com" />

<authentication-manager>
<ldap-authentication-provider user-dn-pattern="uid={0},ou=users" 
group-search-base="cn=PULSEUSER,ou=groups" group-search-filter="uniqueMember={0}">
</ldap-authentication-provider>
</authentication-manager>

</beans:beans>

    The above setting is located in the below user/group composition on the OpenLDAP server.

    dn: uid=puser1,ou=users,dc=myexample,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: pulse user1
sn: user1
uid: puser1
userPassword:: cGl2b3RhbA==

dn: uid=padmin1,ou=users,dc=myexample,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: pulse admin1
sn: admin1
uid: padmin1
userPassword:: cGl2b3RhbA==

dn: cn=PULSEUSER,ou=groups,dc=myexample,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: PULSEUSER
uniqueMember: uid=puser1,ou=users,dc=myexample,dc=com
uniqueMember: uid=padmin1,ou=users,dc=myexample,dc=com
  • Add [spring.profiles.active] system property and [pulse-config] path for gfsh classpath parameter to JMX manager starting gfsh script. For example: 
    gfsh start locator --name=locator --port=7900 --dir=locator --J=-Dspring.profiles.active=pulse.authentication.custom --classpath=/home/apps/pulse-config
  • Import LDAPS server's certificate (Public certificate) into java cacerts on the host hosting Pulse. For more details, you can also refer this article  titled "Unable to Login to Pulse via LDAPS due to PKIX path building failed" 
     
  • Restart the GemFire cluster, start Pulse, and log in using credentials that are authorized in the LDAP configuration.


Additional Information



Powered by Wolken Software