How to setup LDAPS for MDM

Talend Version          6.1.1

Summary

 
Additional Versions  
Product  Talend Master Data Management
Component  
Problem Description  
Problem root cause  
Solution or Workaround  Part I 
1- Install LDAP 
2- Configure MDM Server to communicate with Directory Server:
 a. the jaas.conf (under mdm/conf/ ) should be like: 
MDM { 
com.amalto.core.server.security.jaas.LDAPLoginModule sufficient 
java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory" 
java.naming.security.authentication="simple" 
java.naming.provider.url="ldaps://ldap.neustar.biz:636" 
LdapDirect=true 
principalDNPrefix="uid=" 
principalDNSuffix=",ou=Neustar,ou=Staff,o=Neustar"
com.amalto.core.server.security.jaas.StorageLoginModule required; 
}; 

 b. add the parameters in {mdm}/apache-tomcat/bin/catalina.sh like: 
-Djavax.net.ssl.trustStore={your truststore file path} 
-Djavax.net.ssl.trustStorePassword={your truststore passwd} 

3- Check that the connection is working (no SSL) 

Part II LDAP 
4- Generate a keystore for LDAP Server 
5- Configure the LDAP server to communicate with ssl (depends on the LDAP Server chosen) 
6- check that the server is correctly answering on the LDAP SSL port with the correct certificate. In my case : 
openssl s_client -connect ldap.example.com:10636 -showcerts 
7- Export the LDAP certificate to be trusted by the MDM Server. 
note: Downgrade the level of java security if your certificate algo is too weak by commenting in $JAVA_HOME/jre/lib/security/java.security : 
# jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 
(For example the default certificate provided by default is ApacheDS won't be recognized with this restriction). 

Part III MDM 

8-Generate a keystore for the mdm server 
9- Generate a keystore for the trusted certificates and import the LDAP server certificate 
10- Configure tomcat to trust these jks 
11- Change the ldap connection in jaas.conf 
12- Restart MDM 

Part IV LDAP (depends on the directory server - no need for ApacheDS, needed for OpenLDAP) 
13- Export the MDM certificate 
14- Import this certificate in a jks 
15- Configure Directory Server to trust this jks 
16- Restart Directory Server 
17- Test 

Part V : Debugging 
18- Stop MDM and generate logs by raising the log levels in $MDM/conf/log4.xml 
com.amalto.core.server.security.jaas = DEBUG 
org.springframework.security.web = DEBUG 
19- Add in setenv.sh "-Djavax.net.debug=ssl" in CATALINA_OPTS 
20- Start MDM 
21- Tail -f mdm.log>test.log 
22- Access the WebUI and test the user 
23- Stop the capture of logs in test.log and check the root cause if something went wrong.
JIRA ticket number  https://jira.talendforge.org/browse/
Version History
Revision #:
1 of 1
Last update:
‎05-18-2017 10:18 PM
Updated by:
 
Labels (1)
Contributors