Configure Encrypted Channel to LDAP External Identity Store
Tableau Server that is configured to connect to an external LDAP identity store must query the LDAP directory and establish a session. The process of establishing a session is called binding. There are multiple ways to bind. Tableau Server supports two methods of binding to an LDAP directory:
-
Simple bind: Establishes a session by authenticating with a username and password. By default, LDAP with simple bind is not encrypted. If you are configuring LDAP with simple bind, we strongly recommend that you enable LDAP over SSL/TLS.
-
GSSAPI bind: GSSAPI uses Kerberos to authenticate. When configured with a keytab file, authentication is secure during GSSAPI bind. However, subsequent traffic to the LDAP server is not encrypted. We recommend configuring LDAP over SSL/TLS .
If you are running Tableau Server on Windows on a computer that is joined to an Active Directory domain, then you do not need to configure GSAPI. Tableau Server GUI Setup will detect and configure the Active Directory connection for you using Kerberos. See Configure Initial Node Settings. Do not run LDAP with simple bind for Active Directory communications.
This topic describes how to encrypt the channel for simple LDAP bind for communications between Tableau Server and LDAP directory servers.
Certificate requirements
-
You must have a valid PEM-encoded x509 SSL/TLS certificate that can be used for encryption. The certificate file must have an extension .crt.
-
Self-signed certificates are not supported.
-
The certificate you install must include
Key Encipherment
in the key usage field to be used for SSL/TLS. Tableau Server will only use this certificate for encrypting the channel to the LDAP server. The expiry, trust, and CRL and other attributes are not validated. -
If you are running Tableau Server in a distributed deployment, then you must manually copy the SSL certificate to each node in the cluster. Copy the certificate only to those nodes where the Tableau Server Application Server process is configured. Unlike other shared files in a cluster environment, the SSL certificate used for LDAP will not be automatically distributed by the Client File Service.
- If you are using a PKI or non-3rd party certificate, upload the CA root certificate to the Java trust store.
Import certificate into the Tableau keystore
If you do not have certificates already in place on your computer that are configured for the LDAP server then you must obtain a SSL certificate for the LDAP server and import it into the Tableau system keystore.
Use the "keytool" Java tool to import certificates. In a default installation, this tool is installed with Tableau Server at C:\Program Files\Tableau\Tableau Server\packages\repository.<version>\jre\bin\keytool.exe
.
Run the following command as administrator to import the certificate (you must replace the <variables>
for your environment):
"C:\Program Files\Tableau\Tableau Server\packages\repository.<version>\jre\bin\keytool.exe" -importcert -file "C:\Program Files\Tableau\Tableau Server\<LDAP-certificate-file>.crt" -alias "<ldapserver.name>" -keystore "C:\ProgramData\Tableau\Tableau Server\tableauservicesmanagerca.jks" -storepass changeit -noprompt
The password for the Java keystore is changeit
. (Do not change the password for the Java keystore).
LDAPS encryption method
Tableau Server supports LDAPS for encrypting the LDAP channel for simple bind.
Secure LDAP, or LDAPS, is a standard encrypted channel that requires configuration. Specifically, in addition to a TLS certificate on Tableau Server, you must set the host name and the secure LDAP port for the target LDAP server.
Configure encrypted channel for simple bind
If your organization uses an LDAP directory other than Active Directory, then follow the procedures here for configuring an encrypted channel for LDAP simple bind.
This section describes how to configure Tableau Server to use an encrypted channel for LDAP simple bind.
When to configure
You must configure Tableau Server to use an encrypted channel for LDAP simple bind before Tableau Server is initialized or as part of configuring the initial node as mentioned in the “Use the TSM CLI” tab in Configure Initial Node Settings.
For new installations of Tableau Server
If your organization uses an LDAP directory other than Active Directory, then you cannot use the TSM GUI Setup to configure the identity store as part of Tableau Server installation. Instead, you must use JSON entity files to configure the LDAP identity store. See identityStore Entity.
Before you configure the identityStore entity, import a valid SSL/TLS certificate into the Tableau key store as documented earlier in this topic.
Configuring LDAPS requires setting the hostname and sslPort options in the identityStore JSON file.