This section explains how to configure the authentication.properties file settings that enable Blackboard Learn, using LDAP authentication, to communicate with an LDAP Server over TLS. No extra entries need to be added to the authentication.properties file. The Administrator simply needs to set the appropriate properties correctly (see table below).
|auth.type.ldap.server_url.x||When the LDAP server is setup to communicate over TLS, this property should be: ldap://directory.university.edu
Administrators may need to append the port number depending upon the configuration.
|auth.type.ldap.server_ssl.x||Must be set to "true" or "false". If set to "true" the module will attempt to connect to the LDAP directory using TLS. The LDAP server must be set up to handle TLS connections.|
Run PushConfigUpdates after editing the properties file. To learn more, see PushConfigUpdates. Finally, copy the JSSE, JNET, and JCERT files from apps/tomcat/systemlib into the $JAVA_HOME/jre/lib/ext directory as shown in the next section.
Configure LDAP authentication with TLS for the Java Runtime Environment (JRE)
- Copy the following three files to the JAVA_HOME\jre\lib\ext directory:
- Add the following to the JAVA_HOME/jre/lib/security/java.security file:
- If there are already security providers listed, and the first one is sun.security.provider.Sun, a security.provider.X entry should be added to the end of the list.
- Import the signed public TLS certificate. Administrators configuring a fresh install of Blackboard Learn should import a certificate for each LDAP server to the applications server's repository of trusted certificates. This is done through the keytool utility.
Configure error messages for LDAP
The default error message does not report the cause of the error to the user when LDAP Authentication fails. Use the auth.type.ldap.context_factory property to display contextual error messages to users.
For each LDAP server configured, set the auth.type.ldap.context_factory property. This property references a class to use for creating contexts, which need to be server specific. The options are:
Any server that supports the Netscape password policy response controls spec - any breed of Netscape Directory Server including RedHat, SunONE, OpenLDAP, and others.
Any server that supports the IETF standard password policy attributes (passwordExpirationTime) but not response controls, for example, Novell Directory Server.
The PasswordPolicyContextFactory is used by default. If the PasswordPolicyContextFactory is used the authentication module must be configured to use a valid privileged user (one that can search and access the passwordExpirationTime attribute of any user) for the proper error message to be shown.