Skip to main content

Preparation

Before you begin, you must:

  • Know the name of each LDAP tree and the top-level context in which Bravura Security Fabric performs operations.

  • Document a DNS server name and TCP port number for the master LDAP service for each directory.

  • Create an administrative account in the LDAP tree that can list users in the relevant contexts and reset passwords for every user object in the relevant contexts. See Configuring a target system administrator below for details..

  • Create at least one test account in the tree. More accounts, in multiple contexts, are better.

  • If you have an LDAP server set up for SSL encryption, ensure that the required server authentication certificate is imported into a trusted root certificate store on the instance server. See Exporting and installing SSL certification files below for details.

  • Determine how Bravura Security Fabric identifies users in the LDAP tree. Bravura Security Fabric can do this based on one of two mutually-exclusive assumptions:

    • Each user has at most one account in the LDAP tree. Ideally, but not necessarily, the common name uniquely identifies each user.

    • A user may have multiple accounts in different contexts in the tree, but the common name uniquely identifies the user.

      Warning

      Ensure that your LDAP client does not hash new passwords before sending requests to the LDAP server, if:

      • You will be implementing transparent synchronization

      • Bravura Security Fabric will be used to verify passwords on the LDAP target

      If you do not want passwords to be transmitted in plaintext, it is highly recommended that you enable SSL on the LDAP server.

Configuring a target system administrator

Bravura Security Fabric uses a designated account on the LDAP Directory Service target system to create and manage objects.

The target system administrator must be a member of the configuration administrators group. Ensure that you set and note the account’s password. You will be required to enter the login ID and password when you add the LDAP target system to Bravura Security Fabric .

You must use a fully qualified name for the administrator ID.

For example, on Netscape Directory Server, the built-in administrator account’s fully qualified name is:

uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot

Exporting and installing SSL certification files

If you want to communicate with an LDAP server configured for SSL encryption, you must obtain the necessary certificate file from the LDAP server and install it into a trusted certificate store on your instance server.

Before you start, ensure that the LDAP server is configured for SSL and has a server authentication certificate to deploy onto the instance server.

It is important to ensure that the Network Service account on the LDAP server has read permissions for the server authentication certificate.

Please refer to the following link for more information on setting up LDAP over SSL:

https://msdn.microsoft.com/en-us/library/cc725767(v=ws.10).aspx\#BKMK\_1

Exporting the SSL certificate using a private key

To obtain the SSL certificate from the LDAP server, follow the steps below:

  1. On the LDAP server, go to Start > Run and enter "mmc".

  2. In the console, go to File > Add/Remove Snap-in.

  3. Select the Certificates snap-in, click Add, then OK.

  4. Select Computer account, then click Next .

  5. Select Local computer, then click Finish.

  6. On the console, expand the Certificates (Local Computer) drop-down.

  7. Navigate to the Personal > Certificates folder.

  8. Locate the server authentication certificate, right-click the certificate, and select Copy.

  9. Right-click on the Trusted Root Certification Authorities > Certificates folder and select Paste.

  10. From the same folder, locate and right-click the certificate you pasted. Select All Tasks > Export.

  11. When prompted on the Certificate Export Wizard, select Yes to export the private key, then click Next .

  12. The format should default to Personal Information Exchange. Leave the default selections and click Next .

  13. Enter a password for the private key and click Next .

  14. Specify a file location for the certificate file, then click Next .

  15. Finish the export.

Alternative methods for exporting the SSL certificate

If you cannot or prefer not to use a private key, you can use one of the following methods:

Request from their LDAP administrator to request .cer files for the LDAP Server from an LDAP administrator in your organization.

Installing the SSL certificate onto the Bravura Security Fabric server

To install the SSL certificate onto the instance server, follow the steps below:

  1. Copy the exported certificate file (.pfx) from the LDAP server onto the instance server (any directory).

  2. Double-click the file, select Local Machine, then click Next .

  3. Confirm file to import, then click Next .

  4. Enter the password for the private key (set from export process above), then click Next .

  5. Select Place all certificates in the following store, and click Browse.

  6. Select the Trusted Root Certification Authorities certificate store, then click Next .

  7. Finish the import.

In this section: