User Authentication via LDAPS

User Authentication via LDAPS

  
Has anyone tried configuring OutSystems to autheticate users via LDAPS (LDAP over SSL)? If yes, can you please send me some links or documentation on how to do that?

I am using version 7.0 and I can't find any option to configure authentication via LDAPS (I only have LDAP available).

Thank you in advance.
Hello Jayson,
Related to this issue, you can find the following helpfull posts:

http://www.outsystems.com/NetworkForums/ViewTopic.aspx?TopicId=3719&Topic=LDAP---Enterprise-Manager-user-synchronization
- http://www.outsystems.com/NetworkForums/ViewTopic.aspx?TopicId=3719&Topic=LDAP---Enterprise-Manager-user-synchronization

Good luck and let us know more about your solution,,

Best Regards,
Gonlao
Thanks for the quick reply! I will definitely check on this and let you know my findings.
Jayson Leonor wrote:
Thanks for the quick reply! I will definitely check on this and let you know my findings.
 
 Hi Jayson,

1) Have you tried something like: LDAPS://hostname:636/

Could you provide more details on your environment, which stack are you using (J2EE or .Net)

2) I wouldn't recommend to use Enterprise Manager, since it's no longer supported.

Let us know if it worked, or if you had any other trouble.

Best Regards,

Pedro
Hello again Jayson,
Hope you can finish that task in a correct way with those tips.
However
pay attention to Pedro's tips and really, don't use Enterprise Manager - use the new model related to the eSpace Users.
Good luck..

Kind
Regards,
Gonçalo M.
Pedro Filipe Manuel wrote:
 
 Hi Jayson,

1) Have you tried something like: LDAPS://hostname:636/

Could you provide more details on your environment, which stack are you using (J2EE or .Net)

2) I wouldn't recommend to use Enterprise Manager, since it's no longer supported.

Let us know if it worked, or if you had any other trouble.

Best Regards,

Pedro
 
Hi Pedro,

I tried to use that format but still not working. Entered the following values in the "Configure Authetication" page under Users eSpace.

Authentication: LDAP (since there is no LDAPS option)
Default Domain: MYDOMAIN
LDAP Hostname: LDAPS://IPaddress:636/

I am using the .Net stack and SQL database.

Please let me know if there is something I missed or if you have more questions. I also want to move away from using Enterprise Manager so any help you could give to make it work under the Users eSpace is much appreciated.

Thanks,
Jayson
Hi Jayson,

Did you saw any errors in Service Center's Error logs ?


Best Regards,

Pedro
Hi Pedro,

It only shows "Invalid Login" on the feedack message but no error logs were written. Have no idea where the problem lies.

Thanks,
Jayson
Hi Jayson,

I'm not sure if LDAPS is supported.
Please contact our Support Team and indicate your problem, they will assist you.


Thanks,

Pedro Manuel
Preceeding the hostname with LDAPS:// should work.

Please try the following configuration and let us know if it works for you:

Authentication: LDAP
Default Domain: YOURDOMAIN
LDAP Hostname: LDAPS://IPaddress

Off the top of my head, I'd ask you if the LDAP server's SSL certificate is valid and accepted on the machine trying to connect.

You can try using the attached eSpace to check what kind of errors are being reported when attempting to login, and figure out what might be wrong. You should try the username with YOURDOMAIN\username and simply username.

If this doesn't work, you might want to check the LDAP authentication logs to try and understand what is happening.
Hi Ricardo,

I tried the LDAPTester and followed the format you recommended and here's the error message I got (which does not seem to be helpful):

     "Error Logging in: Unknown error (0x80005000)"

As for the SSL certificate, we have checked and tested it with our network admin and the machine allowed to connect to LDAPS. I even tried setting up test LDAP server (using OpenDS) in my local machine just to make sure it is not related to environment and still arrived to the same error.

Also checked the Service Center and LDAP server and it did not show error logs related to my login attempts. Seems like the application does not reach the LDAP server at all, which makes sense because the error shows up right after I hit Login.

I am kind of stuck here so I will probably take Pedro's advice and ask Support about it.

Appreciate all your inputs in this inquiry.

Thanks!
Jayson
One question: Is LDAP Authentication working for you?

If so, and since LDAPS is just LDAP over SSL, you could try and workaround the issue by having the platform set to use LDAP and use stunnel to make the secure connection.

Would be something like:

* stunnel on your front-end listening on LDAP standard port (389) pointing to the actual LDAPS server
* your Agile Platform configuration pointing to hostname localhost

Let us know if this works out for you.
Hi! It's me again. We tried LDAP (non-secured one), and it is not working either.  Even used a third-party LDAP browser and it cannot connect to the server. I would like to try the stunnel option but I think it makes sense to make it work with LDAP first.

I also would like to share some settings on the app server which I suspect (not really sure) causes the issue:

  1. The IIS server (OutSystems) is not joined to any domain. Meaning, it just uses the default WORKGROUP.
  2. The IIS server is only allowed to connect to LDAP server via port 389 and 636 (for SSL). We cannot ping to the LDAP hostname/IP but telnet to hostname+port works.

My question is, does the built-in LDAP authentication requires the IIS server to be joined to a domain?

Regards,
Jayson
accessing LDAP shouldn't require that the client machine is in the domain.

Well, next thing to look at would be to check if the problem is in the LDAP server or specific to the machine that's accessing it.

Can you browse that LDAP server from the server itself? from other machines on the network?

This is really an issue you should troubleshoot with your LDAP administrator.
Post a capture that way we can see if it's reaching out.
Hi Ricardo,

Thanks for your inputs. To answer your questions:

Can you browse that LDAP server from the server itself?
- I can only TELNET on the hostname & port, although even using a third-party LDAP browser, I cannot connect or browse to it.
from other machines on the network?
- Yes. The customer has other app servers (non-OutSystems) that is able to connect and authenticate to their LDAP server.
 
On another note. Here is the error I am getting when I used the LDAP (non-secured) parameters on the LDAPTester application.
    "Error logging in. The server is not operational."
No error or stacktrace logged in the Service Center. Any possible reasons it is telling me this?
 
Hope you or anyone could also give us some guidelines on the configuration/settings we could check on the platform server and/or LDAP server to ensure that it is ready for LDAP authentication (regardless if it is OutSystems or Windows specific).

I know this might be beyond OS but we are not expert or that experienced when it comes to integration like this. Another thing is we do not have full authority to the customer's servers and any change request to server/network requires proper justification and approval on the customer's side. So any help or anything you could share from your experience would really be much appreciated.
Ricardo,

I have tried theLDAPTester and comes back with:
Error Logging in: The requested authentication method is not supported by the server

The thing is the LDAP server I try to connect to is a IBM Lotus Notes Domino Server.

And I use a trial edition of the Agile Platorm version 7.0.1.7, which runs on a Windows XP box.

Am I correct in assuming though that even LDAP is used, this Extension only works for Active Directory integration?

Bye,

Harry