Connecting to an LDAP Server or Microsoft Active Directory and Azure AD
In production systems it is required that AtScale communicates with an external directory service to authenticate users. This topic describes the steps necessary to configure AtScale to inter-operate with an external directory service such as Microsoft Active Directory or Azure Active Directory.
Before you begin: Importing a Certificate
If you are connecting AtScale to a secure LDAP server, you must set up a trust chain from the LDAP server to the AtScale node (if you have a single-instance installation of AtScale) or to the nodes in an AtScale cluster. For example, if you are using self-signed certificates, you must follow these steps to copy the LDAP server's self-signed certificate into the Java certificate store on the AtScale node:
[!NOTE] For more information, see Configuring TLS.
-
Download the LDAPS Server's certificate.
You can use this command if you have OpenSSL set up on the LDAPS server:
openssl s_client -connect ldap_server.domain:636
-
Copy the lines starting from
-----BEGIN CERTIFICATE-----
and ending with-----END CERTIFICATE-----
into a separate file. The name of this file must have the .cert extension.info
> >
-
On each AtScale Server:
-
Update atscale.yaml file and add the <path to your .cert file> to
tls.custom_crt.path
.Alternatively, you can place the <filename>.cert in the
/opt/atscale/data/security/crt
directory. In this case your atscale.yaml entry should be like in the example below: :tls:
certificate: /opt/atscale/conf/server.cert
enabled: false
key: /opt/atscale/conf/server.key
custom_crt:
path: "/opt/atscale/data/security/crt" -
Execute the
configurator.sh
tool with the--apply
option to apply the new configuration as the Atscale installation user (atscale in this example). :su - atscale
cd /opt/atscale/current
./bin/configurator.sh --apply/opt/atscale/current/bin/configurator.sh --apply -
Check if the certificate is imported and filename is the alias in the truststore: :
/opt/atscale/current/pkg/jdk/bin/keytool -list -keystore /opt/atscale/current/security/truststore.jks -alias <filename>.cert
-
-
Restart AtScale
-
To stop all AtScale processes, run the following command on the AtScale node (if you have a single-instance installation of AtScale) or on all of the nodes in your AtScale cluster: :
/opt/atscale/bin/atscale_stop_apps
-
To start all AtScale processes, run the following command where you ran the previous command: :
/opt/atscale/bin/atscale_start_apps
-
Azure Ad
If you are connecting AtScale to an Azure AD LDAPS server, you must adhere to the prerequisites found here. After uploading your certificate to the AtScale engine's truststore and enabling LDAPS for your Azure AD Domain Services (DS), the following configurations should be made on the AtScale custom directory service setup page. More information pertaining to the AtScale directory service setup can be found in the Procedure section below.
- Enable Use SSL from the Custom Directory Setup page in AtScale when setting up the connection between AtScale and Azure AD.
- The default port for Azure AD LDAPS is 636. If not conforming to the default port protocols, ensure the port used in your Azure AD configuration matches the port set in AtScale.