Deploying LDAP External Authentication
Contents
Task Summary
The following Task Summary lists the tasks required to deploy LDAP in your configuration.
|
Task |
Related Procedures and Information |
|---|---|
|
Install Configuration Server and deploy LDAP during the installation. |
This Configuration Server can be the primary or backup configuration server in a redundant configuration, or the Master Configuration Server in a geographically distributed configuration. Use the procedure Deploying LDAP during Configuration Server installation. |
|
(Optional) Configure additional LDAP Servers. |
If you are using multiple LDAP servers, configure them on the Options tab of the Tenant object (preferred) or of the Configuration Server object. Refer to Configuring LDAP Servers. |
|
(optional) Install as many Configuration Servers as required, deploying LDAP during the installation. |
If you are deploying LDAP in a geographically distributed configuration, install each Configuration Server Proxy using the procedure Deploying LDAP during Configuration Server installation. |
Deploying LDAP
Use the following procedure to deploy LDAP while you are installing Configuration Server or Configuration Server Proxy.
Deploying LDAP during Configuration Server installation
Purpose
To deploy LDAP while installing Configuration Server or Configuration Server Proxy.
Start
- Begin installing Configuration Server or Configuration Server Proxy (multi-tenant or single-tenant).
- On the Configuration Server Run Mode page, select one of the following, as appropriate:
- Continue installing Configuration Server or Configuration Server Proxy, as appropriate.
- On the Configuration Server External Authentication page, select Lightweight Directory Access Protocol (LDAP).
- On the LDAP Server Access URL page, enter the URL that the Configuration Server or Configuration Server Proxy will use to connect to the LDAP server.
- Finish installing Configuration Server or Configuration Server Proxy.
Configuration Server Master Primary —If you are installing a Master or Primary Configuration Server.
Configuration Server Proxy —If you are installing a Configuration Server Proxy.
If you are going to use multiple LDAP authentication servers, specify the first LDAP server on this page. After Configuration Server or Configuration Server Proxy starts up for the first time, you can enter additional LDAP servers on the Options tab of the Configuration Server or Configuration Server Application object.
End
Configuration Server Options
If you installed the LDAP pluggable modules during installation of a new Master Configuration Server, the following configuration option sections and options are added to the configuration file, and are copied into the database when Configuration Server starts (see Configuring the Master Configuration Server), as follows:
-
[authentication]
library=gauth_ldap
-
[gauth_ldap]
ldap_url=<URL as entered during installation>
When you install the LDAP pluggable module on Configuration Server Proxy, you must manually add the same two sections and options to the Application object:
The library option specifies gauth_ldap as the section that specifies the external authentication parameters.
The ldap-url option specifies the URL of the LDAP server and directory that you entered during installation. Both values are set automatically.
At this point, these two sections indicate that LDAP external authentication is to be used, and they are all that is required to use LDAP with one LDAP server that accepts anonymous LDAP binding. If your LDAP server requires authentication to perform searches using a query, specified in the option ldap-url (see ldap-url), you must set the app-user and password options (see app-user) before you can use external authentication.
To maintain backwards compatibility, if an ldapclient.conf file exists, the Master Configuration Server will also read the contents of that file and translate those settings into Configuration Server options at first startup. also storing them in the database. Any changes to that file will also be ignored at subsequent startups.
IMPORTANT: If a legacy ldapclient.conf or confserv.conf file from a previous version exists, you must do the following before the first startup of the Master Configuration Server:
If either of the files contains passwords, make sure that both of the following conditions are true:
- The passwords are encrypted.
- The confserv section of the confserv.conf file contains the option encryption=true.
If either of these conditions are omitted, Configuration Server may import the legacy passwords incorrectly.
If the legacy ldapclient.conf file contains multiple servers, organize the servers list in the order in which the servers are indexed, that is gauth_ldap , gauth_ldap _1 , gauth-ldap_2 , and so on. If you don’t do this, Configuration Server will index the servers in the order in which they are read.
Configuring LDAP Servers
Configuration Server supports up to ten LDAP authorization modules, or servers.
When you install Configuration Server, you can configure one LDAP server during the installation process. If you are using multiple LDAP Servers, you configure those additional LDAP servers on the Options tab of the Configuration Server object.
On the Options tab, there is one section for each LDAP server. The name of each section must be unique, and should appear in the order in which they are indexed. The first section is named [gauth_ldap] , as described previously. Genesys recommends naming each additional section gauth_ldap_n] , where n is a numeric index in the range of 1 to 9 for each LDAP server.
A section for a single server has a format like this:
-
[gauth_ldap] or [gauth_ldap_n]
ldap-url= <value>
app-user= <value>
password= <value>
cacert-path= <value>
cert-path= <value>
key-path= <value>
The options, or server parameters, in a section are listed in LDAP Server Parameters, and described in detail starting on Configuration Options.
|
Parameter |
Definition of value |
|---|---|
|
ldap-url |
URL used to access LDAP server |
|
app-user |
Distinguished name of the application user |
|
password |
Application user password |
|
cacert-path |
Path to CA certificate for LDAP server |
|
cert-path |
Path to certificate of client’s key |
|
key-path |
Path to client’s private key |
|
idle-timeout |
Time interval that the connection to the LDAP server will be kept open if there are no more requests |
|
retry-attempts |
Number of authorization retries that will be generated by Configuration Server if the LDAP server does not respond |
|
retry-interval |
Time that Configuration Server waits for an authorization reply from the LDAP server. |
|
connect-timeout |
Initial timeout after which Configuration Server deems the specified LDAP server is not available. |
When you are finished configuring all LDAP servers, the Options tab will contain one or more sections that look like this, in addition to the mandatory gauth_ldap section for the first server.:
-
[gauth_ldap_1]
ldaps://fram.us.int.vcorp.com:636/ou=Eng,o=vcorp,c=us??sub?(mail=X)
app-user=cn=Manager,o=vcorp,c=us
password=12345ABC9
cacert-path=keys/server.arm
cert-path=keys/client.arm
key-path=keys/private.pem
idle-timeout= 5
retry-attempts=3
retry-interval=10
connect-timeout=10
Each section will have a different numeric identifier.
Deploying LDAP on Configuration Server Proxy
In geographically distributed systems prior to release 8.1, LDAP external authentication was configured only on the master Configuration Server, and each Configuration Server Proxy passed authentication requests to it.
Starting in release 8.1, LDAP External Authentication can be configured on the master Configuration Server and on each Configuration Server Proxy. This allows each Configuration Server Proxy to process authentication requests itself, without passing them on to the master Configuration Server. Use the procedure Deploying LDAP during Configuration Server installation.