Skip to main content

Ignition Active Directory LDAPS Configuration

To use LDAPS with Active Directory, Ignition needs to be able to use the certificate from the Active Directory domain controllers. In turn, this means that Active Directory Certificate Services must be enabled and functional on the domain environment.

One way to check that AD CS is being used is to open up the Local Computer Certificate management on the server(s) with Ignition installed on them. They must be joined to the domain and under the Trusted Root Certification Authorities/Certificates, there should be a certificate in the list (usually at the bottom) that lists/shows the CA certificate for the domain (usually one of the domain controllers). If this is the case, then importing the root CA certificate won't be necessary.

We will need to set up a system environment variable in Windows to tell Java to use the local computer's root certificate store. This can be done easily via group policy or via a simple command line with administrator privileges:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "JAVA_TOOL_OPTIONS" /t REG_SZ /d "-Djavax.net.ssl.trustStoreType=WINDOWS-ROOT-LOCALMACHINE" /f

Once this is run (or the environment variable manually added), the Ignition service must be restarted for it to be recognized.

Now your ActiveDirectory user sources can be configured normally with the following changes:

  • Primary/Secondary Domain Controllers - These must use fully qualified domain names (FQDNs) instead of IPs and they must be resolvable from the server Ignition is running on.
  • Port - Must be changed from 389 to 636.
  • Use SSL - Must be enabled