Skip to main content

NIM

LDAP

NIM supports LDAP for authentication, providing a versatile and secure method for user verification. This capability allows NIM to authenticate users from a range of external systems that support LDAP, including Active Directory and Google. The advantage of using LDAP for authentication in NIM is the convenience it offers; users can access NIM applications without the need for creating separate passwords within NIM itself. This feature simplifies the process of deploying NIM Apps, as it integrates with existing user credentials from these external systems, streamlining access and maintaining security.

Requirements

  • The system that will be used for LDAP must be added as a system

  • Inter-system relation between the LDAP system and Internal System

  • Firewall must allow 389 (LDAP) or 636 (LDAPS)

Creating Internal Users

The first step that is needed is to make sure that you have all the users that you need configured in the NIM’s Internal User Table.

  1. Go to Processing > Filters and create a filter containing the AD users that you want created in the NIM internal system table (see Filters for more info on creating a filter)

  2. Go to Output > Mappings and create a new mapping with the following settings (see Mappings for more info on creating a mapping)

    1. System: internal

    2. Target: users

    3. Function: user_create

    4. Name: (e.g. Internal_User_Create)

  3. Add the following attributes and constants into the Attribute Mapping

    1. AuthMethod: LDAP

    2. Description: <AD User Description>

    3. DisplayName: <AD User displayName>

    4. Email: <AD User mail>

    5. Enabled: True

    6. ExternalID: <AD User objectGUID>

    7. Name: <AD User sAMAccountName>

  4. Go to Output > Jobs and create a job that has your mapping in the configuration and run the job

Configure LDAP Connection

This example will provide steps to setup a connection for Active Directory

  1. Go to Processing > Relations

  2. Configure the following

    • System A: internal

    • Type A: users

    • Column A: ExternalID

    • System B: AD

    • Type B: Users

    • Column B: objectGUID

    LDAP01.png

  3. Click Add then Save

  4. Go to Configuration > Settings > LDAP

  5. Click on Add

  6. Specify the name for the LDAP (e.g. LDAP)

    LDAP02.png

  7. Populate the fields accordingly

    1. Related System: AD

    2. DNS Name: AD FQDN or DC FQDN

    3. SSL: If using LDAPS, check box

    4. Port: If using LDAPS, then 636. Else use 389

    5. Certificate: Leave empty

    LDAP03.png
Troubleshooting

While configuring LDAP in NIM, there are chances that there are errors that surface. Listed below are common errors and actions that can be taken to solve the errors

Error verifying certificate

Error connecting to LDAP server ldaps://<SERVER>:636: Error-UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate

  1. You need to add the CA certificate for LDAPS to NIM. You can use the CertUtil.exe command in CMD to view the Cert Authorities bound to the machine. This will provide you the name of the cert or certs to find in MMC and export

  2. Within Windows open command prompt

  3. Type CertUtil.exe, press Enter

    LDAP04.png

  4. Type note of the certificate listed

  5. Click on Start > Run > type mmc

    LDAP05.png

  6. Click on File > Add/Remove Snap-In

    LDAP06.png

  7. Click on Certificates > Add > select Computer Account and Click Finish

    LDAP07.png
    LDAP08.png

  8. Expand Trusted Root Certification Authorities > Certificates

    LDAP09.png

  9. Find the CA Certificate, Right-Click > Export

  10. Next, click on DER encoded bindary X.509 (.CER)

    LDAP10.png

  11. Save Certificate to disk

  12. Within NIM, click on Configuration > Settings > Certificates

  13. Click Add and specify certificate name (e.g. LDAPCA)

    LDAP11.png

  14. Select File

  15. Put in any text in the password field, currently there has to be some value for this to work

  16. Click Add, and then Save

  17. Then test your connection again. NOTE: The certificate parameter on the LDAP Server configuration should NOT be selected for Active Directory binding. It should be left blank

Error connecting hostname

Error connecting to LDAP server ldaps://<HOSTNAME>:636: Error-ERR_TLS_CERT_ALTNAME_INVALID: Hostname/IP does not match certificate's altnames: Host: <HOSTNAME>. is not in the cert's altnames: DNS:<HOSTNAME>"

This is cause by the certificate name not matching the host we are connecting to. Check the certificate name to match the hostname. Often the certificate is for a specific DC, so changing the LDAP configuration hostname to a specific Domain Controller FQDN will correct the issue

In this section: