ArcGIS LDAP Configuration Errors

So, I needed to switch from Windows authentication to LDAP authentication, and our company has set up its own certificate authority trusted root certificates, and I've found the LDAP setup documentation doesn't cover this very well, so I'm posting my findings here for everyone else.

The docs are here:

https://enterprise.arcgis.com/en/server/latest/administer/linux/configuring-a-highly-available-ldap-...

So, I had to actually go through with support and try a lot of variations to the parameters to get this right.  The error it was giving at first was "simple bind failed: <servername>:636", when I provided a secure LDAPS://servername:636/ou=..... link.

This was because I needed to import the trusted root certificate authority, which I tried to do in the ArcGIS/admin page, under machines/machinename/sslcertificates, but the error persisted.  So... it turns out the jvm's have their own keystore, and here are all of the other steps you may need to follow to get your secure ldap working with ArcGIS server, in excruciatingly overdetailed glory.

Also one other note: if you get an error more like this, your password or userid is wrong:

LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 775, v2580

If you get an error like this, your OU values are probably wrong, skip to step 3A to see how to find what they should be:

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839]

1: Import the certificates into the background jvm keystore as follows (rather than importing through the url:6443/arcgis/admin web page):

• browse to <installroot>\arcgis\server\framework\runtime\jre\lib\security
• copy the cacerts file to cacerts.bak (just in case).
• Also back up your arcgissserver\config-store folder.
• From a command prompt, run the following commands adjusted for your install location, and location you placed the .cer file(s) for each of your new trusted root authority certificates:
  • <installroot>\ArcGIS\Server\framework\runtime\jre\bin\keytool -import -keystore <installroot>\arcgis\server\framework\runtime\jre\lib\security\cacerts -trustcacerts -alias "certificatename" -file "<trusted root certs folder>\certificatename.cer"
  • Note the default arcgis jre keystore pass is “changeit”

2: Restart ArcGIS Server Windows service.

3: go to https://<machinename>:6443/arcgis/admin and log in as the local arcgis admin account, then browse to Home => security => config => testIdentityStore, and test the following LDAP configs for “Connection Successful!” message, after adjusting for your password and your mechid, and all of the OU / DC values to match those of your own company. If you don’t know them, see step 3A below to find out how to get them.

                User Store Configuration:

{

"type": "LDAP",

"properties": {

   "isPasswordEncrypted": "false",

   "adminUserPassword": "<password>",

   "adminUser": "CN=<your userid>,OU=userids,OU=esriusers,DC=redmond,DC=esri,DC=com",

   "ldapURLForUsers": "ldaps://ldapserver.it.esri.com:636/OU=userids,OU=esriusers,DC=redmond,DC=esri,DC=com",

   "usernameAttribute": "cn",

   "caseSensitive": "false",

   "userSearchAttribute": "samaccountname"

}

}

Role Store Configuration:

{

"type": "LDAP",

"properties": {

   "ldapURLForRoles": "ldaps://ldapserver.it.esri.com:636/ou=roles,dc=redmond,dc=esri,dc=com",

   "isPasswordEncrypted": "false",

   "adminUserPassword": "<password>",

   "memberAttributeInRoles": "uniquemember",

   "adminUser": "CN=<your userid>,OU=userids,OU=esriusers,DC=redmond,DC=esri,DC=com",

   "ldapURLForUsers": "ldaps://ldapserver.it.esri.com:636/OU=userids,OU=esriusers,DC=redmond,DC=esri,DC=com",

   "rolenameAttribute": "cn",

   "usernameAttribute": "cn"

}

}

3A: If you do not know your baseDN and OU values… Install the Windows RSAT application tools package with DSQUERY command from Microsoft, then go to control panel => programs (and features) => add windows feature, “Remote Server Administration Tools” and enable the Role Administration Tools and all subitems there. Note that in my examples, I totally made up “userid”, “esriusers”, and “redmond” as values, as these will always vary by your own company’s domain setup. Make sure you run the DSQuery tool to get the right values YOU should be using.

Go to command prompt and run this command, with the quotes: dsquery user -name “<username>”

Result will look like: “CN=<username>,OU=someparam,OU=maybe-a-secondparam,DC=domain1,DC=domain2,DC=domain3-typically-just-com”

So something like: “CN=abc1234,OU=userids,OU=esriusers,DC=redmond,DC=esri,DC=com” would go into your JSON config value like this:

   "adminUser": "CN=abc1234,OU=userids,OU= esriusers,DC=redmond,DC=esri,DC=com”,

Take the resulting value and use it in the adminUser attribute in the json code in step 3. Paste the portion after the CN=<username>, starting with the first OU=, and paste that into the ldapURL parameter. Following the example above, this would go in your JSON config value:

   "ldapURLForUsers": "ldaps://ldapserver.it.esri.com:636/OU=userids,OU=esriusers,DC=redmond,DC=esri,DC=com”,

These values may not be needed based on your company’s LDAP settings, so try without them first... samaccountname is the standard value for windows active-directory setups.

   "caseSensitive": "false",

   "userSearchAttribute": "samaccountname"

The ldapURLForRoles OU value of “roles” may indicate success in the test page, but it works with anything and is not apparently truly tested, so also use the command “dsquery ou” to see a list of all OUs in your company and find the one that looks like ou=groups or ou=roles.

4: If those functioned, you can browse back to the “config” level in the arcgis/admin page, and use the updateIdentityStore link to change the identity store config to use the adjusted configs you just tested.

Hope that helps someone!