Fabric Setup for Azure AD DS LDAPS
This authentication setup must be done from the Management Center using Azure Active Directory Domain Services (Azure AD DS) via LDAP over SSL (LDAPS).
Carry out the following steps:
Prerequisites
A user must be set up so you can query the AD.
From your IT or AD administrator, you must get the following parameters:
- user & password
- user group
- admin_dn
- users_base_dn
- AD certificates in cer format and password as needed
Below is an example of such parameters:
- user: k2vfabric
- user password: changeit
- user group: K2vtdaadmin
- admin_dn:
CN=K2vtdaadmin,cn=users,DC=k2vfabric - users_base_dn:
CN=Users,DC=k2vfabric,DC=local - AD (LDAPS mode):
k2-fabric-ldap.k2vfabric.local - AD port: 636
Steps
The following steps must be carried out on all Fabric nodes by the root user:
Connect as fabric user
Update the admin_privileges file on one fabric node only (the one that you will start with first).
In this file, we will insert the name of the group that the user will use as the fabric admin, and the AD to which the user belongs. In our example K2vtdaadmin
echo "K2vtdaadmin" > $FABRIC_HOME/config/admin_privileges
NOTE:
admin_privilegesis applied only on the very first Fabric startup. After that, role management must be done within Fabric directly (via the Management Center or Fabric commands). Modifying this file after first start has no effect.
- Config Fabric's config.ini file with the following parameters:
[fabric]
SERVER_AUTHENTICATOR=adldap
[adldap_auth]
url=ldaps://k2-fabric-ldap.k2vfabric.local:636
admin_dn=CN=K2vtdaadmin,cn=users,DC=k2vfabric,DC=local
admin_password=<admin-password>
users_base_dn=CN=Users,DC=k2vfabric,DC=local
You can set each parameter using merge-config.sh — an idempotent script that is safe to re-run. Use -s for the section, -k for the key, and -v for the value. For example:
$FABRIC_HOME/fabric/scripts/merge-config.sh -s fabric -k SERVER_AUTHENTICATOR -v adldap -f $FABRIC_HOME/config/config.ini
The following steps are unique to LDAPS (as opposed to LDAP):
- Import an LDAPS certificate to the Java truststore using
certificates.sh addtrust:
$FABRIC_HOME/fabric/scripts/certificates.sh addtrust ldap <path-to-ca-cert.cer>
By default, this imports into $FABRIC_HOME/config/.truststore. To use a different truststore, set FABRIC_TRUSTSTORE_PATH before running:
export FABRIC_TRUSTSTORE_PATH=<path-to-truststore>
$FABRIC_HOME/fabric/scripts/certificates.sh addtrust ldap <path-to-ca-cert.cer>
For more information about how Fabric works with LDAP, see here. For more information about SAML configuration in Fabric, please read here.
Fabric Setup for Azure AD DS LDAPS
This authentication setup must be done from the Management Center using Azure Active Directory Domain Services (Azure AD DS) via LDAP over SSL (LDAPS).
Carry out the following steps:
Prerequisites
A user must be set up so you can query the AD.
From your IT or AD administrator, you must get the following parameters:
- user & password
- user group
- admin_dn
- users_base_dn
- AD certificates in cer format and password as needed
Below is an example of such parameters:
- user: k2vfabric
- user password: changeit
- user group: K2vtdaadmin
- admin_dn:
CN=K2vtdaadmin,cn=users,DC=k2vfabric - users_base_dn:
CN=Users,DC=k2vfabric,DC=local - AD (LDAPS mode):
k2-fabric-ldap.k2vfabric.local - AD port: 636
Steps
The following steps must be carried out on all Fabric nodes by the root user:
Connect as fabric user
Update the admin_privileges file on one fabric node only (the one that you will start with first).
In this file, we will insert the name of the group that the user will use as the fabric admin, and the AD to which the user belongs. In our example K2vtdaadmin
echo "K2vtdaadmin" > $FABRIC_HOME/config/admin_privileges
NOTE:
admin_privilegesis applied only on the very first Fabric startup. After that, role management must be done within Fabric directly (via the Management Center or Fabric commands). Modifying this file after first start has no effect.
- Config Fabric's config.ini file with the following parameters:
[fabric]
SERVER_AUTHENTICATOR=adldap
[adldap_auth]
url=ldaps://k2-fabric-ldap.k2vfabric.local:636
admin_dn=CN=K2vtdaadmin,cn=users,DC=k2vfabric,DC=local
admin_password=<admin-password>
users_base_dn=CN=Users,DC=k2vfabric,DC=local
You can set each parameter using merge-config.sh — an idempotent script that is safe to re-run. Use -s for the section, -k for the key, and -v for the value. For example:
$FABRIC_HOME/fabric/scripts/merge-config.sh -s fabric -k SERVER_AUTHENTICATOR -v adldap -f $FABRIC_HOME/config/config.ini
The following steps are unique to LDAPS (as opposed to LDAP):
- Import an LDAPS certificate to the Java truststore using
certificates.sh addtrust:
$FABRIC_HOME/fabric/scripts/certificates.sh addtrust ldap <path-to-ca-cert.cer>
By default, this imports into $FABRIC_HOME/config/.truststore. To use a different truststore, set FABRIC_TRUSTSTORE_PATH before running:
export FABRIC_TRUSTSTORE_PATH=<path-to-truststore>
$FABRIC_HOME/fabric/scripts/certificates.sh addtrust ldap <path-to-ca-cert.cer>
For more information about how Fabric works with LDAP, see here. For more information about SAML configuration in Fabric, please read here.
