This is a step-by-step guide on how to use Active Directory external authentication with search approach in ISL Conference Proxy Server. These instructions assume that you have a Windows Server machine with working ISL Conference Proxy Server installed and Active Directory service installed and turned on.
Note about SSL
Enabling SSL when doing the integration is strongly recommended, you can do this by passing the SSL parameter with the value 1. When enabling SSL on windows, make sure you have imported the CA certificate file into server's system certificate storage.
Bind User
Active Directory usually doesn't allow us to connect anonymously. Because of that, we have to first create a user that will connect to server and search for other users.
Step 1
Open Active Directory Users and Computers (run as administrator).
Step 2
Right click Users and then New > User.
Step 3
Enter User logon name, e.g. icp, andother information, then click Next.
Step 4
Type password, e.g. Xconference!, uncheck User must change password at next logon and click Next, then Finish.
Step 5
Repeat the same procedure to create another user, having testuser as logon name and Xtesting! as password.
Test Search Filter
Next we have to create and check our binding users credentials and create a search filter.
Step 1
Open a LDAP browser, e.g. LDAPadmin.
Step 2
Click Start > Connect and select New Connection.
Step 3
Fill in the following fields:
- Connection name, e.g. Active Directory Connection
- Host, e.g. example.com
- Base, e.g. CN=Users,DC=example,DC=com
Then uncheck Anonymous connection, and proceed typing the following:
- Username of our binding user, e.g. CN=icp,CN=Users,DC=example,DC=com
- Password of our binding user, e.g. Xconference!
and click OK.
Step 4
Double click the connection that was created in previous steps, i.e. Active Directory Connection.
Step 5
Click on Edit > Search and fill in the following fields:
- Path, e.g. CN=Users,DC=example,DC=com
- Filter (in Custom tab), e.g. sAMAccountName=testuser
and click Start. The result should be CN=testuser,CN=Users,DC=example,DC=com.
Create Search Filter
Now we will check our binding credentials and search filter with command line program that is used by ISL Conference Proxy.
Step 1
Open Command Prompt or Power Shell (run as administrator).
Step 2
Change directory to C:\Program Files\ISL Conference Proxy where ISL conference proxy scripts are located.
cd C:\Program Files\ISL Conference Proxy
Step 3
Run authenticator\ldap.exe with following command line arguments:
- HOST, e.g. HOST "example.com"
- BINDDN, e.g. BINDDN "cn=icp,cn=Users,dc=example,dc=com"
- BINDPASSWORD, e.g. BINDPASSWORD "Xconference!"
- SEARCHBASE, e.g. SEARCHBASE "cn=Users,dc=example,dc=com"
- SEARCHFILTER, e.g. SEARCHFILTER "sAMAccountName=@USERNAME@"
- USERNAME, e.g. USERNAME "testuser"
- PASSWORD, e.g. PASSWORD "Xtesting!"
authenticator\ldap.exe HOST "example.com" BINDDN "cn=icp,cn=Users,dc=example,dc=com" BINDPASSWORD "Xconference!" SEARCHBASE "cn=Users,dc=example,dc=com" SEARCHFILTER "sAMAccountName=@USERNAME@" USERNAME "testuser" PASSWORD "Xtesting!"
Press Enter. If the arguments are correct, we should get <authenticationResponse><result>OK</result></authenticationResponse> at the bottom of the terminal.
Prepare the encoded bind password
You should encode the chosen bind password before using it as a part of the external authenticator setting, to avoid having it exposed in plain text in ISL Conference Proxy administration.
Step 1
Open Command Prompt or Power Shell (run as administrator).
Step 2
Change directory to C:\Program Files\ISL Conference Proxy.
cd C:\Program Files\ISL Conference Proxy
Step 3
Run confproxy_server.exe with following command line arguments:
- --password-tool (enables the password tool mode)
- encode (indicates that you wish to encode a password)
- islstatic1 (indicates that the target format should be islstatic1)
- "<bind_password>" (your chosen bind password, defined in the "Bind User" section, e.g. "Xconference!")
confproxy_server.exe --password-tool encode islstatic1 "Xconference!"
Press Enter. If the arguments are correct, you should get the encoded password in the chosen format, looking like this:
[^|islstatic1|^]7riDLNKvPIK5OvJrO9M/NJp16r5NzEgk
Important note
In case the encoded password includes a + character, please re-run the command until the output is without a + character. This will avoid potential issues in the next section.
Copy that whole line, you will need it in the following section.
Configure ISL Conference Proxy
Step 1
Open ICP administration page, i.e. http://localhost:7615/conf and log in as administrator.
Step 2
Go to User management > Domains, and select an existing domain or add a new one, e.g. ldapusers, by clicking Create domain....
Step 3
In Security tab uncheck External authenticator and paste the appropriate command for external authentication like in command prompt example (remove quotes and USERNAME, PASSWORD arguments, replace spaces with semicolons and add a semicolon at the end, replace the value for BINDPASSWORD with the encoded bind password from the previous section, make sure to include - as the first argument so that the remaining arguments will be passed through standard input rather than as command line arguments).
authenticator\ldap.exe;-;HOST;example.com;BINDDN;cn=icp,cn=Users,dc=example,dc=com;BINDPASSWORD;[^|islstatic1|^]7riDLNKvPIK5OvJrO9M/NJp16r5NzEgk;SEARCHBASE;cn=Users,dc=example,dc=com;SEARCHFILTER;sAMAccountName=@USERNAME@;
Important note
Users on ISL Conference Proxy are case-sensitive while your AD most likely is not. This means that if you login with e.g. User1, user1 or USeR1, three users will be created on ISL Conference Proxy even though they match the same user on AD. In order to avoid this and always create just the user using the exact same casing from your AD, please use the REMAP parameter, specifying the target domain on ISL Conference Proxy and the AD attribute whose value should be used for remapping, regardless of the casing used by the end-user when trying to login. Please note that the AD attribute name in the setting (between two @) needs to be lowercased.
Example: REMAP;\\ldapusers\@samaccountname@;
With the important note above in mind, the resulting setting value for this example would be:
authenticator\ldap.exe;-;HOST;example.com;BINDDN;cn=icp,cn=Users,dc=example,dc=com;BINDPASSWORD;[^|islstatic1|^]xnrRLHGFSpR51DLLsYwmQAwYuSkqxSJF;SEARCHBASE;cn=Users,dc=example,dc=com;SEARCHFILTER;sAMAccountName=@USERNAME@;REMAP;\\ldapusers\@samaccountname@;
Do not forget to save your changes by clicking the Save button in the bottom right corner.
Step 4
Go to ICP login page and try logging in using \\domain\username, e.g. \\ldapusers\testuser, and password.
Useful hint: If you do not want to type the domain prefix (\\domain\, e.g. \\ldapusers\) when entering your username, you can open ISL Conference Proxy administration and adjust the setting Configuration > General > Default domain for user authentication from its default value (default) to the appropriate custom value (domain, e.g. ldapusers). After that, try logging in just with username (e.g. testuser) and the appropriate password.
Note about LDAP referrals
In case you encounter random failures, timeouts and similar inconsistent behaviour when using external authentication, you can try disabling LDAP referrals by passing the DISABLEREFERRALS parameter with the value 1.