# LDAP Authentication on-premise

When hosting the system on-premise, additional configuration is required to enable LDAP / Active Directory authentication.

---

### <span role="text">**Tomcat Service Account**</span>

The application server (Tomcat) must run under a user account that has permission to query the Active Directory.

- Configure the Tomcat service to run as a dedicated **Active Directory user**
- Ensure this user has: 
    - Read access to the directory
    - Permission to perform user lookups

---

### <span role="text">**LDAPS Certificate Configuration**</span>

If you are using **LDAPS (recommended)**, the LDAP server’s SSL certificate must be trusted by Java.

You must import the LDAP server certificate into the Java **keystore (truststore)** used by Tomcat.

---

### <span role="text">**Steps to Import Certificate**</span>

1. Export the SSL certificate from your LDAP / Domain Controller
2. Import the certificate into the Java keystore using:

<div class="relative w-full mt-4 mb-1" id="bkmrk-keytool--importcert-"><div class=""><div class="relative"><div class="h-full min-h-0 min-w-0"><div class="h-full min-h-0 min-w-0"><div class="border border-token-border-light border-radius-3xl corner-superellipse/1.1 rounded-3xl"><div class="h-full w-full border-radius-3xl bg-token-bg-elevated-secondary corner-superellipse/1.1 overflow-clip rounded-3xl lxnfua_clipPathFallback"><div class="w-full overflow-x-hidden overflow-y-auto"><div class="relative z-0 flex max-w-full"><div class="q9tKkq_viewer cm-editor z-10 light:cm-light dark:cm-light flex h-full w-full flex-col items-stretch ͼk ͼy" dir="ltr" id="bkmrk-keytool--importcert--1"><div class="cm-scroller"><div class="cm-content q9tKkq_readonly">keytool <span class="ͼu">-importcert</span> \  
<span class="ͼu">-alias</span> ldap-cert \  
<span class="ͼu">-file</span> ldap_certificate.crt \  
<span class="ͼu">-keystore</span> <span class="ͼt">$JAVA\_HOME</span>/lib/security/cacerts</div></div></div></div></div></div></div></div></div><div class=""><div class="">  
</div></div></div></div></div>3. Restart Tomcat after importing the certificate

---

### <span role="text">**Steps Using Portecle**</span>

1. Download and start **Portecle**
2. Open the Java keystore: 
    - Path:  
        `$JAVA_HOME/lib/security/cacerts`
3. Enter the keystore password  
    *(Note: the default password `cacerts` is often changed in secure environments)*
4. Import the LDAP / Active Directory certificate: 
    - Go to **Tools → Import Trusted Certificate**
    - Select your exported certificate file (e.g., `.crt`)
5. Assign an alias (e.g., `ldap-cert`)
6. Save the keystore
7. Restart Tomcat

---

### <span role="text">**Important Notes**</span>

- The default Java keystore password (`cacerts`) is **often changed** in secure environments  
    → Please confirm the correct password with your system administrator
- If the certificate is not trusted: 
    - LDAPS connections will fail
    - Authentication will not work
- Ensure the correct Java runtime is used (the one running Tomcat)

---

### <span role="text">**Recommendation**</span>

- Always use **LDAPS (port 636)** instead of plain LDAP for secure communication
- Use a **dedicated service account** rather than a personal user account