By default, LDAP communications (port 389) between client and server applications are not encrypted. This means that it would be possible to use a network monitoring device or software and view the communications traveling between LDAP client and server computers. LDAP over SSL/TLS (LDAPS-port 636) is automatically enabled when you install an Public key (PKI) infrastructure, (Certificate Authority-CA). In this post i wan’t cover installing and configuring PKI infrastructure, i’ll concentrate on enabling LDAPS on windows and configuring secure connection to Windows Domain controllers from linux machines using SSL certificates.
Creating Certificate templates
On Issuing certificate authority, in Certification authority console right click on Certificate templates-Manage
Certification Templates console will launch, right click on template Kerberos Authentication-duplicate template
In compatibility tab,make sure that for Compatibility settings Windows Server 2003 is specified
In Request handling tab, make sure Signature and encryption is selected for purpose
If you plan to import the certificate into the Active Directory Domain Services certificate store, then should also mark the private key as exportable.
In general tab, specify validity period and template name
In subject name tab make sure DNS name and Service principal nane (SPN) are checked in.
In security tab, make sure Domain controllers are added and Enroll, Read and Autoenroll (if you want this template is enrolled automatically) are set to Allow
Once all is set click OK, right click Certificate Templates-New-Certificate Template to Issue
Select template and click OK
Exporting Certification authority (CA) certificate
On CA machine we issued certificate, name of this CA will be written in that certificate, so we need to export personal certificate of this CA and transfer it to Linux machine.This certificate will be used to validate certificate of Domain controller we are going to enroll in next steps.
Open Local computer certificate store (start-run-certlm.msc)
Expand Personal,right click on Certificates-All tasks-Export
Select No, do not export private key, for format select Base-64 encoded X.509 (.CER)
Save certificate to file with cer extension and move it to Linux machine
Enrolling certificate to Domain Controller
Now we need to enroll Certificate we just issued on Certification Authority machine.Go to Domain controller,open Local computer certificate store (start-run-certlm.msc)
Expand Personal,right click on Certificates-All tasks-Request New Certificate
Click Next twice and select certificate we just issued-Enroll
Exporting Domain controller certificate to Linux machine
Now we need to export this enrolled certificate to Linux machine.
Right click on certificate we just enrolled-All tasks-Export
Select No, do not export private key, for format select Base-64 encoded X.509 (.CER)
Save certificate as cer file and move it to linux machine
Exporting Trusted Root Certification authority (CA) certificate
In case you’re using intermediate CA (as in my case), you need to export Trusted Root certification authority certificate also, again, in Computer certificate store, expand Trusted root certification authorities-click Certificates-right click om Root certificate-export
Export in same way as in previous steps
Testing LDAPS connection – Windows
Before moving to linux, let’s first test LDAP over SSL connection.
On Domain controler from command prompt, type ldp.exe, click on Connection tab-Connect..
Type DNS name, port 636, check SSL and click OK
If all is OK, connection should be sucessfull
ld = ldap_sslinit("dc.example.local", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to dc.example.local.
Retrieving base DSA information…
Getting 1 entries:
Testing LDAPS connection – Linux
Certification authority certificate is exported to /etc/pki/tls/certs/issuingca.cer,domain controller certificate is exported to /etc/pki/tls/certs/dc.cer and trusted root CA to /etc/pki/tls/certs/ca.cer
Add CA Root and issuing CA certs to Linux (CentOS) ca store
cp /etc/pki/tls/certs/issuingca.cer /etc/pki/ca-trust/source/anchors cp /etc/pki/tls/certs/ca.cer /etc/pki/ca-trust/source/anchors update-ca-trust enable update-ca-trust extract # verify: openssl verify /etc/pki/ca-trust/source/anchors/issuingca.cer openssl verify /etc/pki/ca-trust/source/anchors/ca.cer
Test connection:
openssl s_client -connect test.local:636 -CAfile /etc/pki/tls/certs/ca.cer CONNECTED(00000004) depth=2 CN = CA-ROOT verify return:1 depth=1 DC = local, DC = test, CN = CA verify return:1 depth=0 CN = dc.test.local verify return:1 --- Certificate chain 0 s:CN = dc.test.local i:DC = local, DC = test, CN = CA 1 s:DC = local, DC = test, CN = CA i:CN = CA-ROOT --- Server certificate -----BEGIN CERTIFICATE-----
Apache – configuring LDAPS authentication
cat /etc/http/conf.d/ssl.conf
LDAPTrustedMode SSL
LDAPTrustedGlobalCert CERT_BASE64 /etc/pki/tls/certs/ca.cer
<Directory "/var/www/cgi-bin">
LDAPTrustedClientCert CERT_BASE64 /etc/pki/tls/certs/dc.cer
AllowOverride None
Options None
Order allow,deny
Allow from all
AuthType Basic
AuthName "login to continue"
AuthBasicProvider ldap
AuthLDAPBindAuthoritative off
AuthLDAPURL "ldaps://test.local:636/dc=test,dc=local?sAMAccountName
AuthLDAPBindDN "bindtest@test.local"
AuthLDAPBindPassword "pass"
require valid-user
</Directory>
