In addition, there must be valid search contexts so that the group or groups can be identified and accessed.
Use the following procedure to verify a proper directory server configuration.
Procedure
-
Determine if there is a connection to the directory server with the
ping
command:
ping
directory_server_host_name
-
Verify that the public key for the directory server certificate is based on an RSA algorithm.
If the directory server is actually a number of DNS servers that are running as a round robin DNS server, each server has a unique certificate. Use the
nslookup
to list the servers and choose one.
Connect to a server using the
openssl s_client
command. Specify the host name and port.
Copy the server certificate to the Certificate field of the Add Directory Server screen.
Verify that the certificate specifies the public key as
RSA
(n bits). The default option for Microsoft Active Directory is RSA 2048 bits.
-
Ensure that the certificate’s timestamp is older than the appliance time.
This can be a concern if the appliance and the directory are synchronized to different time servers or if they are running in different time zones.
-
Validate the search contexts by running
ldapsearch
command from the appliance console.
Search context |
CN |
CN=Users |
DC=example,DC=com
Username: server_admin
|
For this example, the
ldapsearch
command, using TLS/SSL, would resemble the following:
LDAPTLS_CACERT=location_of_certificate
ldapsearch
-LLL
–Z -H ldaps://host_name:port
-b "base-DN"
-D "bind-DN"
–W [cn/uid/ssAMAccountName/userPrincipalName]
For this example,
ldapsearch
, not using TLS/SSL, would resemble the following:
ldapsearch
-LLL
-H ldap://IP_address:389
-b "cn=users,dc=example,dc=com"
-D "cn=server_admin,cn=users,dc=example,dc=com"
–W CN