ArcGIS LDAP Configuration Errors

1059
4
08-07-2019 12:17 PM
Highlighted
New Contributor III

So, I needed to switch from Windows authentication to LDAP authentication, and our company has set up its own certificate authority trusted root certificates, and I've found the LDAP setup documentation doesn't cover this very well, so I'm posting my findings here for everyone else.

The docs are here:

https://enterprise.arcgis.com/en/server/latest/administer/linux/configuring-a-highly-available-ldap-...

So, I had to actually go through with support and try a lot of variations to the parameters to get this right.  The error it was giving at first was "simple bind failed: <servername>:636", when I provided a secure LDAPS://servername:636/ou=..... link.

This was because I needed to import the trusted root certificate authority, which I tried to do in the ArcGIS/admin page, under machines/machinename/sslcertificates, but the error persisted.  So... it turns out the jvm's have their own keystore, and here are all of the other steps you may need to follow to get your secure ldap working with ArcGIS server, in excruciatingly overdetailed glory.

Also one other note: if you get an error more like this, your password or userid is wrong:

LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 775, v2580

If you get an error like this, your OU values are probably wrong, skip to step 3A to see how to find what they should be:

[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839]

1: Import the certificates into the background jvm keystore as follows (rather than importing through the url:6443/arcgis/admin web page):

  • browse to <installroot>\arcgis\server\framework\runtime\jre\lib\security
  • copy the cacerts file to cacerts.bak (just in case).
  • Also back up your arcgissserver\config-store folder.
  • From a command prompt, run the following commands adjusted for your install location, and location you placed the .cer file(s) for each of your new trusted root authority certificates:
    • <installroot>\ArcGIS\Server\framework\runtime\jre\bin\keytool -import -keystore <installroot>\arcgis\server\framework\runtime\jre\lib\security\cacerts -trustcacerts -alias "certificatename" -file "<trusted root certs folder>\certificatename.cer"
    • Note the default arcgis jre keystore pass is “changeit”

2: Restart ArcGIS Server Windows service.

3: go to https://<machinename>:6443/arcgis/admin and log in as the local arcgis admin account, then browse to Home => security => config => testIdentityStore, and test the following LDAP configs for “Connection Successful!” message, after adjusting for your password and your mechid, and all of the OU / DC values to match those of your own company. If you don’t know them, see step 3A below to find out how to get them.

                User Store Configuration:

{

"type": "LDAP",

"properties": {

   "isPasswordEncrypted": "false",

   "adminUserPassword": "<password>",

   "adminUser": "CN=<your userid>,OU=userids,OU=esriusers,DC=redmond,DC=esri,DC=com",

   "ldapURLForUsers": "ldaps://ldapserver.it.esri.com:636/OU=userids,OU=esriusers,DC=redmond,DC=esri,DC=com",

   "usernameAttribute": "cn",

   "caseSensitive": "false",

   "userSearchAttribute": "samaccountname"

}

}

 

Role Store Configuration:

{

"type": "LDAP",

"properties": {

   "ldapURLForRoles": "ldaps://ldapserver.it.esri.com:636/ou=roles,dc=redmond,dc=esri,dc=com",

   "isPasswordEncrypted": "false",

   "adminUserPassword": "<password>",

   "memberAttributeInRoles": "uniquemember",

   "adminUser": "CN=<your userid>,OU=userids,OU=esriusers,DC=redmond,DC=esri,DC=com",

   "ldapURLForUsers": "ldaps://ldapserver.it.esri.com:636/OU=userids,OU=esriusers,DC=redmond,DC=esri,DC=com",

   "rolenameAttribute": "cn",

   "usernameAttribute": "cn"

}

}

 

3A: If you do not know your baseDN and OU values… Install the Windows RSAT application tools package with DSQUERY command from Microsoft, then go to control panel => programs (and features) => add windows feature, “Remote Server Administration Tools” and enable the Role Administration Tools and all subitems there. Note that in my examples, I totally made up “userid”, “esriusers”, and “redmond” as values, as these will always vary by your own company’s domain setup. Make sure you run the DSQuery tool to get the right values YOU should be using.

 

Go to command prompt and run this command, with the quotes: dsquery user -name “<username>”

Result will look like: “CN=<username>,OU=someparam,OU=maybe-a-secondparam,DC=domain1,DC=domain2,DC=domain3-typically-just-com”

So something like: “CN=abc1234,OU=userids,OU=esriusers,DC=redmond,DC=esri,DC=com” would go into your JSON config value like this:

   "adminUser": "CN=abc1234,OU=userids,OU= esriusers,DC=redmond,DC=esri,DC=com”,

Take the resulting value and use it in the adminUser attribute in the json code in step 3. Paste the portion after the CN=<username>, starting with the first OU=, and paste that into the ldapURL parameter. Following the example above, this would go in your JSON config value:

   "ldapURLForUsers": "ldaps://ldapserver.it.esri.com:636/OU=userids,OU=esriusers,DC=redmond,DC=esri,DC=com”,

These values may not be needed based on your company’s LDAP settings, so try without them first... samaccountname is the standard value for windows active-directory setups.

   "caseSensitive": "false",

   "userSearchAttribute": "samaccountname"

The ldapURLForRoles OU value of “roles” may indicate success in the test page, but it works with anything and is not apparently truly tested, so also use the command “dsquery ou” to see a list of all OUs in your company and find the one that looks like ou=groups or ou=roles.

 

4: If those functioned, you can browse back to the “config” level in the arcgis/admin page, and use the updateIdentityStore link to change the identity store config to use the adjusted configs you just tested.

Hope that helps someone!

Reply
0 Kudos
4 Replies
Highlighted
by
New Contributor II

Hi, I have similar problem.

I can not get the listing of all LDAP users.

Maybe you can help me to analyze it. Please,

Here is my config :

{
"type": "LDAP",
"properties": {
"userPassword": "v24qDsZ1bH2U1cUst7n0Ng==",
"sAMAccountName": "CN=My Name,OU=User Accounts,OU=X,OU=Y,DC=Z,DC=com",
"userEmailAttribute": "mail",
"usernameAttribute": "cn",
"ldapURLForUsers": "ldap://ldap-server.com/OU=User Accounts,OU=X,OU=Y,DC=Z,DC=com",
"isPasswordEncrypted": "true"
}
}

I also tried a second config and doesn work :

{

  "type": "LDAP",

  "properties": {

    "userPassword": "v24qDsZ1bH2U1cUst7n0Ng==",

    "sAMAccountName": "uid=My Name,ou=XX,ou=User Accounts,ou=X,ou=Y,dc=Z,dc=com",

    "caseSensitive": "false",

    "userEmailAttribute": "mail",

    "usernameAttribute": "uid",

    "userFullnameAttribute": "cn",

    "ldapURLForUsers": "ldap://ldap-server.com/ou=xx,ou=User Accounts,ou=X,ou=Y,dc=Z,dc=com",

    "isPasswordEncrypted": "true",

  }

}

The errors ARE the same when I do "Get Enterprise User" (Home->Security-.user->Get Enterprise User )

Portal Administrator Directory

[LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580]

Here is the structure of my user in LDAP:

~ CN=My Name,OU=XX,OU=User Accounts,OU=X,OU=Y,DC=Z,DC=com

~ there is no "UID" attribute in my LDAP. 
~ I am not using PKI

I need assistance please. If anyone knows any way out of setting it correctly, please inform me. 

Thanks

Reply
0 Kudos
Highlighted
by
New Contributor II

After nearly a week of agonizing pain and nearly commit suicide, i finally just made it working :

Here is the setup :

{

  "type": "LDAP",

  "properties": {

    "userPassword": "v24qDsZ1bH2U1cUst7n0Ng==",

    "userEmailAttribute": "mail",

    "usernameAttribute": "cn",

    "user": "sAMAccountName=MY Name,OU=XX,OU=User Accounts,OU=X,OU=Y,DC=Z,DC=com",

    "ldapURLForUsers": "ldap://LDAP-address.com/OU=User Accounts,OU=X,OU=Y,DC=Z,DC=com",

    "isPasswordEncrypted": "true"

  }

}

In LDAP, I can trace my user name by following this path : "CN=MY Name,OU=XX,OU=User Accounts,OU=X,OU=Y,DC=Z,DC=com". This is, probably 95% sure, is the path that you should type on to the "user" parameter part. I remove some parameters as well, like : "caseSensitive" and "userSearchAttribute".

The configuration above is quite different to the one that esri suggested in their Help :

{   "type": "LDAP",   "properties": {     "userPassword": "secret",     "isPasswordEncrypted": "false",     "user": "uid=admin,ou=system",     "userFullnameAttribute": "cn",     "ldapURLForUsers": "ldaps://myLdapServer:10636/ou=users,ou=ags,dc=example,dc=com",     "userEmailAttribute": "mail",     "usernameAttribute": "uid",     "caseSensitive": "false",     "userSearchAttribute": "uid"   } }
Highlighted
MVP Esteemed Contributor

Joshua Dalton‌, thanks for sharing.  My I suggest, since this is more information sharing than a question, that you convert this question to a discussion and change the title to reflect that fact.  For example, instead of "ArcGIS LDAP Configuration Errors" maybe "Steps (or tips) for Addressing ArcGIS LDAP Configuration Errors"

Reply
0 Kudos
Highlighted
New Contributor III

Addendum... so, I had to do it for ArcGIS 10.3.1... and encountered issue after issue, and could not decipher the problem, until I tried a java app called sslpoke which makes sure your root certificates are set up right and you can get to the target host given... and I learned that ArcGIS 10.3.1 runs on java 1.7.0_76, found in <install folder>\ArcGIS\server\framework\runtime\jre, which does not support TLSv1.1 or TLSv1.2.  It only supports TLSv1.  This is obsolete, and not allowed to connect to newer ldap versions, or other server types, so it causes a big problem if your it department decides to upgrade the LDAP servers to disallow TLSv1, which honestly, they should really do.  So, what's the fix?  You need to go find at LEAST java se 1.7.0_131, which is the first one to include TLS1.1 / 1.2 support, which requires an oracle support contract to download.  Trust me that this is the first one that works, I tested connecting to LDAP with every 1.7.0_X version out there that is lower than 1.7.0_131.  Anything higher than 1.7.0_131 should work also, I tested for TLS1.2 sslpoke success up to the current developer-only build 1.7.0_241 from the oracle patching support site, but I didn't try placing them into the ArcGIS folder yet, so back up your config_store. Once you have that, you can save your cacerts file, or just reimport your root certs to it, then stop arcgis server, and replace the server's jre folder under <install root>\ArcGIS\server\framework\runtime\jre folder with the 1.7.0_131 (or higher) jre folder you obtained.

Make sure you add your root certificates back into the new jre\lib\security\cacerts file as detailed above in original post.

One thing I haven't checked, but might be a nice side effect, tls1.2 ArcGIS online connectivity.  Maybe someone can advise if this resolves that.

This may also work for ArcGIS Portal 10.3.1, but I haven't tried it yet.