Documentation for Crowd 1.5. Documentation for other versions of Crowd is available too.

You can configure Crowd to work with Microsoft Active Directory by setting up an LDAP connector in Crowd. If you wish to use Crowd to add users or change passwords in Active Directory, you will need to install an SSL certificate generated by your Active Directory server and then install the certificate into your JVM keystore.

On this page:

Prerequisites

Make sure that you have the following installed on your Windows server (domain controller):

必要なコンポーネント

説明

Windows 2000 Service Pack 2

Windows 2000 を使用する場合に必要です。

Internet Information Services (IIS)

Windows Certificate Services をインストールする前に必要とされるものです。

Windows Certificate Services

This installs a certification authority (CA) which is used to issue certificates.

Windows 2000 High Encryption Pack (128-bit)

Windows 2000 を使用する場合に必要です。利用可能な最高度の暗号化レベル(128 -ビット)を提供します。

Step 1. Install the Microsoft Certificate Services

  1. Using the Active Directory Control Panel – Add/Remove Programs administration tool:
    • Select 'Add/Remove Windows Components' to start the Windows Components Wizard.
    • Place check marks next to 'Certificate Services' and 'Internet Information Services (IIS)'.
    • Click 'Next>'.




  2. Select 'Enterprise root CA' Certificate Authority Type and click 'Next>'.



  3. Enter a 'CA name' (server name) and click 'Next>'. On Windows Server 2003, this is the 'Common name for this CA'.



  4. Leave the 'Data Storage Locations' as default and click 'Next>'.



  5. The software installation process is complete. Click 'Finish'.



  6. Click 'OK' to restart IIS.



  7. You will now need to restart your Microsoft Active Directory Server.

ステップ 2.サーバー証明書の取得

The steps above describe how to install the certification authority (CA) on your Microsoft Active Directory server. Next, you will need to add the Microsoft Active Directory server's SSL certificate to the list of accepted certificates used by the JDK that runs your Crowd server.

The Active Directory certificate is automatically generated and placed in root of the C:\ drive, matching a file format similar to the tree structure of your Active Directory server, e.g. c:\crowd-ad2000.ad01.crowd.atlassian.com_ad01.crt.

また、Active Directory サーバー上で、次のコマンドを実行することにより、証明書をエクスポートできます。

certutil -ca.cert crowd-client.crt

ステップ 3.サーバー証明書のインポート

For a Crowd server to trust your directory's certificate, the certificate must be imported into your Java runtime environment. The JDK stores trusted certificates in a file called a keystore. The default keystore file is called cacerts and it lives in the lib\security sub-directory of your Java installation.

In the following examples, we use server-certificate.crt to represent the certificate file exported by your Directory Server. You will need to alter the instructions below to match the name actually generated.

Windows

  1. Java がインストールされているディレクトリに移動します。このディレクトリは、C:\Program Files\Java\jdk1.5.0_12 のようになります。
  2. Run the command below, where server-certificate.crt is the name of the file from your directory server: 
    keytool -import -keystore .\lib\security\cacerts -file server-certificate.crt
  3. keytool からパスワードの入力を求められます。既定のキーストア パスワードは changeit です。
  4. When prompted Trust this certificate? [no]: enter yes to confirm the key import: 
    Enter keystore password:changeit
Owner: CN=ad01, C=US
Issuer: CN=ad01, C=US
Serial number: 15563d6677a4e9e4582d8a84be683f9
Valid from: Tue Aug 21 01:10:46 ACT 2007 until: Tue Aug 21 01:13:59 ACT 2012
Certificate fingerprints:
MD5:D6:56:F0:23:16:E3:62:2C:6F:8A:0A:37:30:A1:84:BE
SHA1: 73:73:4E:A6:A0:D1:4E:F4:F3:CD:CE:BE:96:80:35:D2:B4:7C:79:C1
Trust this certificate? [no]:yes
Certificate was added to keystore

You may now use the Secure SSL option when using Crowd to connect to your directory.

Unix

  1. Navigate to the directory in which Java is installed. cd $JAVA_HOME will usually get you there.
  2. Run the command below, where server-certificate.crt is the name of the file from your directory server: 
    sudo keytool -import -keystore ./lib/security/cacerts -file server-certificate.crt
  3. keytool からパスワードの入力を求められます。既定のキーストア パスワードは changeit です。
  4. When prompted Trust this certificate? [no]: enter yes to confirm the key import: 
    Password:
Enter keystore password:changeit
Owner: CN=ad01, C=US
Issuer: CN=ad01, C=US
Serial number: 15563d6677a4e9e4582d8a84be683f9
Valid from: Tue Aug 21 01:10:46 ACT 2007 until: Tue Aug 21 01:13:59 ACT 2012
Certificate fingerprints:
MD5:D6:56:F0:23:16:E3:62:2C:6F:8A:0A:37:30:A1:84:BE
 SHA1: 73:73:4E:A6:A0:D1:4E:F4:F3:CD:CE:BE:96:80:35:D2:B4:7C:79:C1
Trust this certificate? [no]:yes
Certificate was added to keystore

You may now use the Secure SSL option when using Crowd to connect to your directory.

Mac OS X

  1. Navigate to the directory in which Java is installed. This is usually /Library/Java/Home.
  2. Run the command below, where server-certificate.crt is the name of the file from your directory server: 
    sudo keytool -import -keystore ./lib/security/cacerts -file server-certificate.crt
  3. keytool からパスワードの入力を求められます。既定のキーストア パスワードは changeit です。
  4. When prompted Trust this certificate? [no]: enter yes to confirm the key import: 
    Password:
Enter keystore password:changeit
Owner: CN=ad01, C=US
Issuer: CN=ad01, C=US
Serial number: 15563d6677a4e9e4582d8a84be683f9
Valid from: Tue Aug 21 01:10:46 ACT 2007 until: Tue Aug 21 01:13:59 ACT 2012
Certificate fingerprints:
MD5:D6:56:F0:23:16:E3:62:2C:6F:8A:0A:37:30:A1:84:BE
 SHA1: 73:73:4E:A6:A0:D1:4E:F4:F3:CD:CE:BE:96:80:35:D2:B4:7C:79:C1
Trust this certificate? [no]:yes
Certificate was added to keystore

You may now use the Secure SSL option when using Crowd to connect to your directory.
関連トピック

Microsoft Active Directory
Configuring Crowd to Work with SSL





Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.