By default, LDAP communications (port 389) between client and server applications are not encrypted. This means that it would be possible to use a network monitoring device or software and view the communications traveling between LDAP client and server computers. LDAP over SSL/TLS (LDAPS-port 636) is automatically enabled when you install an Public key (PKI) infrastructure, (Certificate Authority-CA). In this post i wan’t cover installing and configuring PKI infrastructure, i’ll concentrate on enabling LDAPS on windows and configuring secure connection to Windows Domain controllers from linux machines using SSL certificates.
Creating Certificate templates
On Issuing certificate authority, in Certification authority console right click on Certificate templates-Manage

Certification Templates console will launch, right click on template Kerberos Authentication-duplicate template

In compatibility tab,make sure that for Compatibility settings Windows Server 2003 is specified

In Request handling tab, make sure Signature and encryption is selected for purpose

If you plan to import the certificate into the Active Directory Domain Services certificate store, then should also mark the private key as exportable.
In general tab, specify validity period and template name

In subject name tab make sure DNS name and Service principal nane (SPN) are checked in.

In security tab, make sure Domain controllers are added and Enroll, Read and Autoenroll (if you want this template is enrolled automatically) are set to Allow

Once all is set click OK, right click Certificate Templates-New-Certificate Template to Issue

Select template and click OK

Exporting Certification authority (CA) certificate
On CA machine we issued certificate, name of this CA will be written in that certificate, so we need to export personal certificate of this CA and transfer it to Linux machine.This certificate will be used to validate certificate of Domain controller we are going to enroll in next steps.
Open Local computer certificate store (start-run-certlm.msc
)
Expand Personal,right click on Certificates-All tasks-Export

Select No, do not export private key, for format select Base-64 encoded X.509 (.CER)

Save certificate to file with cer extension and move it to Linux machine
Enrolling certificate to Domain Controller
Now we need to enroll Certificate we just issued on Certification Authority machine.Go to Domain controller,open Local computer certificate store (start-run-certlm.msc
)
Expand Personal,right click on Certificates-All tasks-Request New Certificate

Click Next twice and select certificate we just issued-Enroll

Exporting Domain controller certificate to Linux machine
Now we need to export this enrolled certificate to Linux machine.
Right click on certificate we just enrolled-All tasks-Export

Select No, do not export private key, for format select Base-64 encoded X.509 (.CER)

Save certificate as cer file and move it to linux machine
Exporting Trusted Root Certification authority (CA) certificate
In case you’re using intermediate CA (as in my case), you need to export Trusted Root certification authority certificate also, again, in Computer certificate store, expand Trusted root certification authorities-click Certificates-right click om Root certificate-export

Export in same way as in previous steps
Testing LDAPS connection – Windows
Before moving to linux, let’s first test LDAP over SSL connection.
On Domain controler from command prompt, type ldp.exe
, click on Connection tab-Connect..

Type DNS name, port 636, check SSL and click OK

If all is OK, connection should be sucessfull
ld = ldap_sslinit("dc.example.local", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to dc.example.local.
Retrieving base DSA information…
Getting 1 entries:
Testing LDAPS connection – Linux
Certification authority certificate is exported to /etc/pki/tls/certs/issuingca.cer
,domain controller certificate is exported to /etc/pki/tls/certs/dc.cer
and trusted root CA to /etc/pki/tls/certs/ca.cer
Add CA Root and issuing CA certs to Linux (CentOS) ca store
cp /etc/pki/tls/certs/issuingca.cer /etc/pki/ca-trust/source/anchors
cp /etc/pki/tls/certs/ca.cer /etc/pki/ca-trust/source/anchors
update-ca-trust enable
update-ca-trust extract
# verify:
openssl verify /etc/pki/ca-trust/source/anchors/issuingca.cer
openssl verify /etc/pki/ca-trust/source/anchors/ca.cer
Test connection:
openssl s_client -connect test.local:636 -CAfile /etc/pki/tls/certs/ca.cer
CONNECTED(00000004)
depth=2 CN = CA-ROOT
verify return:1
depth=1 DC = local, DC = test, CN = CA
verify return:1
depth=0 CN = dc.test.local
verify return:1
---
Certificate chain
0 s:CN = dc.test.local
i:DC = local, DC = test, CN = CA
1 s:DC = local, DC = test, CN = CA
i:CN = CA-ROOT
---
Server certificate
-----BEGIN CERTIFICATE-----
Apache – configuring LDAPS authentication
cat /etc/http/conf.d/ssl.conf
LDAPTrustedMode SSL
LDAPTrustedGlobalCert CERT_BASE64 /etc/pki/tls/certs/ca.cer
<Directory "/var/www/cgi-bin">
LDAPTrustedClientCert CERT_BASE64 /etc/pki/tls/certs/dc.cer
AllowOverride None
Options None
Order allow,deny
Allow from all
AuthType Basic
AuthName "login to continue"
AuthBasicProvider ldap
AuthLDAPBindAuthoritative off
AuthLDAPURL "ldaps://test.local:636/dc=test,dc=local?sAMAccountName
AuthLDAPBindDN "bindtest@test.local"
AuthLDAPBindPassword "pass"
require valid-user
</Directory>
Thank you for adding this very helpful
LikeLike
hi and thank you for that guide. I still have trouble connecting from my Linux-Machine to my Windows AD DC. My test environment consist of one Certifaction Authority which provides Self-Signed Certs. Then i have 2 Dmaincontroller where the Ports 636 are listening. every Windowsmachine in my Network already talks via LDAP over SSL but i cant connect my Linux-Machines. I already imported the root and dc certs to my local trusted store of the Linux-Machine, but everytime i want to test the connection i get an Error:
My Input on Linux Mint: openssl s_client -connect hostname.dc1.net:636
and the Output is:
CONNECTED(00000003)
write:errno=104
—
no peer certificate available
—
No client certificate CA names sent
—
SSL handshake has read 0 bytes and written 247 bytes
—
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
—
LikeLike
you didn’t import CA certs to linux machine
LikeLike
Thank you for that fast Reply. In my ca-certificates.crt file are both, the root.crt and the dc.crt.
LikeLike
in previous question you mentioned “My test environment consist of one Certifaction Authority which provides Self-Signed Certs”. Maybe that’s the issue. What “self-signed” means?. On CA machine just create CA template as i did.
Test you CA infrastructure in following way:
Install IIS on your DC, enroll cert to your DC. Assign cert to IIS and from DC access default web page by using HTTPS, if your’re not getting “invalid cert” in web browser then, on some test machine, import CA and DC cert and try accessing again web page on DC.If not getting “invalid certificate” error, then no reason why it shouldn’t work from linux
LikeLike
Hi!
Also, thanks very much and I hope you can help clarify and resolve the issues I still see in my setup:
* Windows Root-CA. Exported as described and saved to myca.cer
* Windows Domain Controller. Exported as described and saved to mydc.cer
both files are imported and verified fine on my Linux client but openssl s_client shows a similar response to what ANUB1S wrote.
Updating certificates …
Doing .
2 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d…
done.
openssl verify /etc/ssl/certs/myca.pem
/etc/ssl/certs/myca.pem: OK
openssl verify /etc/ssl/certs/mydc.pem
/etc/ssl/certs/mydc.pem: OK
openssl s_client -connect mydc:636 -CAfile /etc/ssl/certs/myca.pem # same when using mydc.pem
CONNECTED(00000005)
write:errno=104
—
no peer certificate available
—
No client certificate CA names sent
—
SSL handshake has read 0 bytes and written 317 bytes
Verification: OK
—
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
—
In your instructions you mention exporting 3 certificates: CA, DC and intermediate, but on your linux you seem to never use the dc.cer anywhere? I’m not using an intermediate CA.
My Linux machine is not a member in the domain, if that’s important.
How to resolve/fix the
no peer certificate available
no client certificate CA names sent
Thanks very much in advance!
LikeLike
It seems as certificate is not properly installed on Domain controller or that cert is invalid. Make sure you created Certificate template from Kerberos Authentication template, instead of FQDN of Domain controller, i used just domain name in Apache config file.
LikeLike
Hola soy novato en la configuración de certificados.
¿Como se configuraría un certificado intermedio en una entidad de certificación Windows Server?
LikeLike
Hi, I am new to certificate configuration.
How would I configure an intermediate certificate in a Windows Server certificate authority?
LikeLike
https://serverfault.com/questions/425438/create-and-use-intermediate-certificate-authority-on-windows-server-2012
LikeLike