Linux – Connecting to Windows LDAP over SSL (LDAPS) using certificate

Posted: February 18, 2020 in Windows Server

By default, LDAP communications (port 389) between client and server applications are not encrypted. This means that it would be possible to use a network monitoring  device or software and view the communications traveling between LDAP client and server computers. LDAP over SSL/TLS (LDAPS-port 636) is automatically enabled when you install an Public key (PKI) infrastructure, (Certificate Authority-CA). In this post i wan’t cover installing and configuring PKI infrastructure, i’ll concentrate on enabling LDAPS on windows and configuring secure connection to Windows Domain controllers from linux machines using SSL certificates.

Creating Certificate templates

On Issuing certificate authority, in Certification authority console right click on Certificate templates-Manage

Certification Templates console will launch, right click on template Kerberos Authentication-duplicate template

In compatibility tab,make sure that for Compatibility settings Windows Server 2003 is specified

In Request handling tab, make sure Signature and encryption is selected for purpose

If you plan to import the certificate into the Active Directory Domain Services certificate store, then should also mark the private key as exportable.

In general tab, specify validity period and template name

In subject name tab make sure DNS name and Service principal nane (SPN) are checked in.

In security tab, make sure Domain controllers are added and Enroll, Read and Autoenroll (if you want this template is enrolled automatically) are set to Allow

Once all is set click OK, right click Certificate Templates-New-Certificate Template to Issue

Select template and click OK

Exporting Certification authority (CA) certificate

On CA machine we issued certificate, name of this CA will be written in that certificate, so we need to export personal certificate of this CA and transfer it to Linux machine.This certificate will be used to validate certificate of Domain controller we are going to enroll in next steps.

Open Local computer certificate store (start-run-certlm.msc)

Expand Personal,right click on Certificates-All tasks-Export

Select No, do not export private key, for format select Base-64 encoded X.509 (.CER)

Save certificate to file with cer extension and move it to Linux machine

Enrolling certificate to Domain Controller

Now we need to enroll Certificate we just issued on Certification Authority machine.Go to Domain controller,open Local computer certificate store (start-run-certlm.msc)

Expand Personal,right click on Certificates-All tasks-Request New Certificate

Click Next twice and select certificate we just issued-Enroll

Exporting Domain controller certificate to Linux machine

Now we need to export this enrolled certificate to Linux machine.

Right click on certificate we just enrolled-All tasks-Export

Select No, do not export private key, for format select Base-64 encoded X.509 (.CER)

Save certificate as cer file and move it to linux machine

Exporting Trusted Root Certification authority (CA) certificate

In case you’re using intermediate CA (as in my case), you need to export Trusted Root certification authority certificate also, again, in Computer certificate store, expand Trusted root certification authorities-click Certificates-right click om Root certificate-export

Export in same way as in previous steps

Testing LDAPS connection – Windows

Before moving to linux, let’s first test LDAP over SSL connection.

On Domain controler from command prompt, type ldp.exe, click on Connection tab-Connect..

Type DNS name, port 636, check SSL and click OK

If all is OK, connection should be sucessfull

ld = ldap_sslinit("dc.example.local", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to dc.example.local.
Retrieving base DSA information…
Getting 1 entries:

Testing LDAPS connection – Linux

Certification authority certificate is exported to /etc/pki/tls/certs/issuingca.cer,domain controller certificate is exported to /etc/pki/tls/certs/dc.cer and trusted root CA to /etc/pki/tls/certs/ca.cer

Add CA Root and issuing CA certs to Linux (CentOS) ca store

cp /etc/pki/tls/certs/issuingca.cer /etc/pki/ca-trust/source/anchors
cp /etc/pki/tls/certs/ca.cer /etc/pki/ca-trust/source/anchors
update-ca-trust enable
update-ca-trust extract

# verify:
openssl verify /etc/pki/ca-trust/source/anchors/issuingca.cer
openssl verify /etc/pki/ca-trust/source/anchors/ca.cer

Test connection:

openssl s_client -connect test.local:636 -CAfile /etc/pki/tls/certs/ca.cer

CONNECTED(00000004)                                                                                                                                         
depth=2 CN =  CA-ROOT
verify return:1
depth=1 DC = local, DC = test, CN = CA
verify return:1
depth=0 CN = dc.test.local
verify return:1
---
Certificate chain
 0 s:CN = dc.test.local
   i:DC = local, DC = test, CN = CA
 1 s:DC = local, DC = test, CN = CA
   i:CN = CA-ROOT
---
Server certificate
-----BEGIN CERTIFICATE-----

Apache – configuring LDAPS authentication

cat /etc/http/conf.d/ssl.conf

LDAPTrustedMode SSL

LDAPTrustedGlobalCert CERT_BASE64 /etc/pki/tls/certs/ca.cer

<Directory "/var/www/cgi-bin">

    LDAPTrustedClientCert CERT_BASE64 /etc/pki/tls/certs/dc.cer
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
    AuthType Basic
    AuthName "login to continue"
    AuthBasicProvider ldap
    AuthLDAPBindAuthoritative off
    AuthLDAPURL "ldaps://test.local:636/dc=test,dc=local?sAMAccountName
    AuthLDAPBindDN "bindtest@test.local"
    AuthLDAPBindPassword "pass"
    require valid-user

</Directory>

Advertisement
Comments
  1. Deepak says:

    Thank you for adding this very helpful

    Like

  2. ANUB1S says:

    hi and thank you for that guide. I still have trouble connecting from my Linux-Machine to my Windows AD DC. My test environment consist of one Certifaction Authority which provides Self-Signed Certs. Then i have 2 Dmaincontroller where the Ports 636 are listening. every Windowsmachine in my Network already talks via LDAP over SSL but i cant connect my Linux-Machines. I already imported the root and dc certs to my local trusted store of the Linux-Machine, but everytime i want to test the connection i get an Error:

    My Input on Linux Mint: openssl s_client -connect hostname.dc1.net:636

    and the Output is:

    CONNECTED(00000003)
    write:errno=104

    no peer certificate available

    No client certificate CA names sent

    SSL handshake has read 0 bytes and written 247 bytes

    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE

    Like

    • dragan979 says:

      you didn’t import CA certs to linux machine

      Like

      • ANUB1S says:

        Thank you for that fast Reply. In my ca-certificates.crt file are both, the root.crt and the dc.crt.

        Like

      • dragan979 says:

        in previous question you mentioned “My test environment consist of one Certifaction Authority which provides Self-Signed Certs”. Maybe that’s the issue. What “self-signed” means?. On CA machine just create CA template as i did.
        Test you CA infrastructure in following way:
        Install IIS on your DC, enroll cert to your DC. Assign cert to IIS and from DC access default web page by using HTTPS, if your’re not getting “invalid cert” in web browser then, on some test machine, import CA and DC cert and try accessing again web page on DC.If not getting “invalid certificate” error, then no reason why it shouldn’t work from linux

        Like

  3. Gimlet says:

    Hi!

    Also, thanks very much and I hope you can help clarify and resolve the issues I still see in my setup:

    * Windows Root-CA. Exported as described and saved to myca.cer
    * Windows Domain Controller. Exported as described and saved to mydc.cer

    both files are imported and verified fine on my Linux client but openssl s_client shows a similar response to what ANUB1S wrote.

    Updating certificates …
    Doing .
    2 added, 0 removed; done.
    Running hooks in /etc/ca-certificates/update.d…
    done.

    openssl verify /etc/ssl/certs/myca.pem
    /etc/ssl/certs/myca.pem: OK
    openssl verify /etc/ssl/certs/mydc.pem
    /etc/ssl/certs/mydc.pem: OK

    openssl s_client -connect mydc:636 -CAfile /etc/ssl/certs/myca.pem # same when using mydc.pem
    CONNECTED(00000005)
    write:errno=104

    no peer certificate available

    No client certificate CA names sent

    SSL handshake has read 0 bytes and written 317 bytes
    Verification: OK

    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 0 (ok)

    In your instructions you mention exporting 3 certificates: CA, DC and intermediate, but on your linux you seem to never use the dc.cer anywhere? I’m not using an intermediate CA.

    My Linux machine is not a member in the domain, if that’s important.

    How to resolve/fix the
    no peer certificate available
    no client certificate CA names sent

    Thanks very much in advance!

    Like

    • dragan979 says:

      It seems as certificate is not properly installed on Domain controller or that cert is invalid. Make sure you created Certificate template from Kerberos Authentication template, instead of FQDN of Domain controller, i used just domain name in Apache config file.

      Like

  4. Hola soy novato en la configuración de certificados.
    ¿Como se configuraría un certificado intermedio en una entidad de certificación Windows Server?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s