Validate the directory server configuration

For information on these requirements, see Add/Edit Directory screen details and Add Directory Server screen details.

In addition, there must be valid search contexts so that the group or groups can be identified and accessed.

Use the following procedure to verify a proper directory server configuration.

Prerequisites
  • Minimum required privileges: Infrastructure administrator.

  • The server that hosts the authentication directory service must:

    • Communicate through SSL.

    • Agree on the SSL port for LDAP.

    • Be accessible through a fully qualified domain name or IP address.

    • Have an available SSL certificate, based on an RSA algorithm.

Procedure
  1. Determine if there is a connection to the directory server with the ping command:
    ping directory_server_host_name
              
  2. Verify that the public key for the directory server certificate is based on an RSA algorithm.

    If the directory server is actually a number of DNS servers that are running as a round robin DNS server, each server has a unique certificate. Use the nslookup to list the servers and choose one.

    Connect to a server using the openssl s_client command. Specify the host name and port.

    Copy the server certificate to the Certificate field of the Add Directory Server screen.

    Verify that the certificate specifies the public key as RSA (n bits). The default option for Microsoft Active Directory is RSA 2048 bits.

  3. Ensure that the certificate’s timestamp is older than the appliance time.

    This can be a concern if the appliance and the directory are synchronized to different time servers or if they are running in different time zones.

  4. Validate the search contexts by running ldapsearch command from the appliance console.
    Search context CN CN=Users

    DC=example,DC=com

    Username: server_admin

    For this example, the ldapsearch command, using TLS/SSL, would resemble the following:

    LDAPTLS_CACERT=location_of_certificate
    ldapsearch -LLL
    –Z -H ldaps://host_name:port
    -b "base-DN"
    -D "bind-DN"
    –W [cn/uid/ssAMAccountName/userPrincipalName]
              

    For this example, ldapsearch, not using TLS/SSL, would resemble the following:

    ldapsearch -LLL
    -H ldap://IP_address:389
    -b "cn=users,dc=example,dc=com"
    -D "cn=server_admin,cn=users,dc=example,dc=com"
    –W CN