K2 LDAP Setup

Introduction

Setting up your K2 server as workgroup but wanted to authenticate to your AD server? Or you need to connect to another server to get another set of users (eg. ADFS)?

Well, i believe there is no way out except setting up another security label to connect via LDAP.

K2 has provided the steps to setup LDAP security label. You may refer to it to do the setup accordingly. Just take note to setup the claims after you ran the script.

While following the guide, i encounter some issues. So i am here to share the issues and resolution.

Issue 1: Setting up authentication type as Basic

After you change the settings to your environment, you might want to change the authentication type to Basic as well. So what should be changed?

Resolution: Following are the highlighted settings that you should change if you want to change from Negotiate to Basic.

Negotiate Basic
<LdapConnection
LdapServer=”dlx.denallix.com”
LdapServerPort=”389″
LdapSsl=”false”
LdapAuthTypeConnect=”Negotiate”
LdapAuthTypeAuthenticateUser=”Negotiate”
LdapResolveAuthenticationUserToDistinguishedName=”false”
LdapAutoBind=”false”
LdapScope=”Subtree”
LdapConnectIntegrated=”true”
LdapConnectUserName=””
LdapConnectUserPassword=””
LdapTimeout=”0″
LdapProtocolVersion=”3″
LdapServerCertificatePath=”” />
<LdapConnection
LdapServer=”dlx.denallix.com”
LdapServerPort=”389″
LdapSsl=”false”
LdapAuthTypeConnect=”Basic”
LdapAuthTypeAuthenticateUser=”Basic”
LdapResolveAuthenticationUserToDistinguishedName=”true”
LdapAutoBind=”false”
LdapScope=”Subtree”
LdapConnectIntegrated=”false”
LdapConnectUserName=”domain\username”
LdapConnectUserPassword=”password”
LdapTimeout=”0″
LdapProtocolVersion=”3″
LdapServerCertificatePath=”” />

 

After you change the setup, you should restart your K2 service and do a test. If the settings are correct, you will be able to search the user via the K2 workspace.

Note: There could be a possibility that you are able to search for the user but K2 is unable to resolve the user (refer to issue 2). So please do a test by logging in as a valid user in your AD.

Issue 2: Unable to resolve the user for K2 LDAP setup (Basic mode)

After setting up the basic mode, i am able to search the user through the K2 Management site (eg. Add an admin user). But when i tried to login as a user, it is not able to resolve the user attributes but system is able to authenticate the user successfully. The system is showing me (SecurityLabel:domain\user) as the Display Name. If the system is able to resolve the user, it should always display the friendly user name that is in the AD. Thus, we can derive this is a weird behaviour.

After trying out couple of hours, i finally manage to find the culprit. In the script provided by K2 (with example as Negotiate), there is crucial setting that is required to set.

Resolution:

<LdapConnection
LdapServer=”dlx.denallix.com”
LdapServerPort=”389″
LdapSsl=”false”
LdapAuthTypeConnect=”Basic”
LdapAuthTypeAuthenticateUser=”Basic”
LdapResolveAuthenticationUserToDistinguishedName=”true”
LdapAutoBind=”false”
LdapScope=”Subtree”
LdapConnectIntegrated=”false”
LdapConnectUserName=”domain\username”
LdapConnectUserPassword=”password”
LdapTimeout=”0″
LdapProtocolVersion=”3″
LdapServerCertificatePath=”” />

After you change the highlighted setting as above, the system actually help to resolve the username to return the correct identity record.

Issue 3: How do I know whether is the authentication success

Resolution: You can come out with a quick form to display all the variables under System User. If you are able to see the values being populated/retrieved, you are good to go!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s