First released in version: 3.2

Directory services

Use the Directory services workspace to configure the connection to a third-party directory service that supports LDAP, such as Microsoft Active Directory or Apache Directory Server for use when configuring user access in the Users and roles workspace (or the Roles screen in SmartSpace Web).

Connecting SmartSpace to a third-party directory service involves:

  1. Configuring the connection parameters.
  2. Making sure that the LDAP server interface service is running.

The first time that you search for a user or user group in the Users and roles workspace, SmartSpace will query the third-party directory service and then cache the results:

  • Changes to the third-party directory service are automatically detected.
  • Cached results for a particular query are deleted if they are not accessed for a given period (for example 24 hours).
  • Cached results are cleared if the LDAP server interface service is restarted.
  • When you change the way the connection is configured, the service is restarted to connect with the new configuration parameters.

This section assumes you have some knowledge of LDAP or that there is an LDAP administrator who can assist you.

The Directory services workspace

Click on DIRECTORY SERVICES to display the Directory servicesworkspace.

example of the DIRECTORY SERVICES screen in SmartSpace Config

Configuring LDAP

  1. Open the Directory services workspace.
  2. Click Edit to configure LDAP settings for your SmartSpace installation.
  3. Click Save when you have finished entering the details.

LDAPS on Linux

Getting LDAPS to work can be difficult on a Linux platform server. If the server is a member of a Windows domain, then usually the required certificates and configuration will already be set up. But for accessing a non-windows LDAP server using LDAPS, diagnosing problems can be difficult.

The Ubisense LDAP integration uses the OpenLDAP libraries on Linux. Ensure that the OpenLDAP client configuration has been set up correctly on the server. Typically the configuration will be in /etc/openldap/ldap.conf, and the root CA used to sign the LDAPS server certificate should be placed in /etc/openldap/cacerts. The ldap.conf should be set to try to verify the certificate:

TLS_CACERTDIR   /etc/openldap/cacerts
TLS_REQCERT     demand

To check that this is working, use the ldapsearch command-line tool:

ldapsearch -H ldaps://ldapserver.my.domain -x -b "dc=example,dc=com" -s sub "(objectclass=group)"

Here the filter supplied at the end of the command line should match that entered in the All groups search filter. If this returns a list of group names, then the OpenLDAP client configuration is working. If not, you can see extensive debug information by using the verbose flag “-v”, or if still unclear, full debug level “-d 999”.

If there is a problem with the LDAP server certificate, then it is possible to turn off certificate checking in the client configuration, though this is not recommended for a secure production deployment. To turn off certificate checking at the client for testing, set the following in ldap.conf:

TLS_REQCERT     never

To see extra information about LDAP processing in the Ubisense platform, enable the “ldap” platform monitor stream, and restart the “Visibility/LDAP server inferface” service. The logs will now show ldap queries executed, and what they returned.

If connecting to an OpenLDAP server that requires a user and password, it may be necessary to provide the full distinguished name of the user in the “username” field.