IDM LDAP Driver - Securing the LDAP connection to an eDirectory LDAP Server

  • 7024381
  • 22-Jan-2020
  • 22-Jan-2020


Identity Manager 4.7
Identity Manager Driver - LDAP Driver


Using the Identity Manager (IDM) LDAP Driver, How do you configure a SSL connection to an eDirectory LDAP server?


This document is a clarification for Section 7 Configuring SSL Connections in the LDAP Driver documentation specifically for eDirectory LDAP Servers on the connected side of the LDAP Driver.

Here are the steps:

1.  In the Connected Tree iManager:  First determine what certificate the eDirectory LDAP Server is using in the connected tree.    Login to iManager on the connected tree.  Edit your LDAP Server object for the LDAP Server you are pointing to with the LDAP Driver.   (LDAP role, LDAP Options task, View LDAP Servers tab, select your ldap server)  Under the Connections tab, note what certificate is listed in the Server Certificate field.   It is typically the SSL Certificate DNS by default.

2.  In the Connected Tree iManager: Browse out to the Certificate specified in step one above in eDirectory.   It will be located in the same context where the eDirectory server object is located for the LDAP Server you are using in the connected tree.  Edit the certificate for that server.  certificate name - server name  For example: SSL Certificate DNS - myserver,  Under the Certificates tab, check the box next to the certificate and click Export.  Select the Organizational CA Certificate, leave it in a DER format and click next.  Click "Save the exported certificate" and save the cert.der file somewhere.

3.  Transfer the cert.der file you exported in step 2 above to the server running IDM and the LDAP driver.   Note:  these procedures are assuming that is a Linux Server.

4.  On the Linux IDM Server running the LDAP Driver:   Run the following command to create a .keystore file from the DER file you created and transferred to the server in steps 3-4.

keytool -import -alias TrustedRoot -file A:\PublicKeyCert.b64 -keystore .keystore -storepass keystorepass

Example:  /jre/bin/keytool -import -alias TrustedRoot -file /tmp/cert.der -keystore /tmp/ldapdriver.keystore -storepass keystorepass

If needed, copy the created keystore file to a location you want it to reside.

5.  In the IDM Tree iManager:   Edit the properties of the LDAP driver.  
   a.  On the Driver Configuration tab, Authentication section, Authentication context field, change the port from 389 to 636, or your server's secure LDAP port.  
   b.  On the Driver Configuration tab, Driver Settings section,
        Use SSL field: select Yes. 
        Keystore Path for SSL Certs field: specify the path to the keystore file.  For example: /tmp/ldapdriver.keystore
        Use Mutual Authentcation field: leave no
        Key Alias field:  Specify the Alias defined in step 4 above.  For example: TrustedRoot
        Keystore Password field:  Specify the keystore password specified in Step 4 above.  For example: keystorepass

6.  Save and Restart the LDAP driver for the changes to take affect.

Additional Information

When creating exporting your certificates, verify the expiration dates of the certificates in the connected tree.   By default they are good for 2 years.   Verify they are not expired or nearing expiration.