Linux – Connecting to Windows LDAP over SSL (LDAPS) using certificate

By default, LDAP communications (port 389) between client and server applications are not encrypted. This means that it would be possible to use a network monitoring  device or software and view the communications traveling between LDAP client and server computers. LDAP over SSL/TLS (LDAPS-port 636) is automatically enabled when you install an Public key (PKI) infrastructure, (Certificate Authority-CA). In this post i wan’t cover installing and configuring PKI infrastructure, i’ll concentrate on enabling LDAPS on windows and configuring secure connection to Windows Domain controllers from linux machines using SSL certificates.

Creating Certificate templates

On Issuing certificate authority, in Certification authority console right click on Certificate templates-Manage

Certification Templates console will launch, right click on template Kerberos Authentication-duplicate template

In compatibility tab,make sure that for Compatibility settings Windows Server 2003 is specified

In Request handling tab, make sure Signature and encryption is selected for purpose

If you plan to import the certificate into the Active Directory Domain Services certificate store, then should also mark the private key as exportable.

In general tab, specify validity period and template name

In subject name tab make sure DNS name and Service principal nane (SPN) are checked in.

In security tab, make sure Domain controllers are added and Enroll, Read and Autoenroll (if you want this template is enrolled automatically) are set to Allow

Once all is set click OK, right click Certificate Templates-New-Certificate Template to Issue

Select template and click OK

Exporting Certification authority (CA) certificate

On CA machine we issued certificate, name of this CA will be written in that certificate, so we need to export personal certificate of this CA and transfer it to Linux machine.This certificate will be used to validate certificate of Domain controller we are going to enroll in next steps.

Open Local computer certificate store (start-run-certlm.msc)

Expand Personal,right click on Certificates-All tasks-Export

Select No, do not export private key, for format select Base-64 encoded X.509 (.CER)

Save certificate to file with cer extension and move it to Linux machine

Enrolling certificate to Domain Controller

Now we need to enroll Certificate we just issued on Certification Authority machine.Go to Domain controller,open Local computer certificate store (start-run-certlm.msc)

Expand Personal,right click on Certificates-All tasks-Request New Certificate

Click Next twice and select certificate we just issued-Enroll

Exporting Domain controller certificate to Linux machine

Now we need to export this enrolled certificate to Linux machine.

Right click on certificate we just enrolled-All tasks-Export

Select No, do not export private key, for format select Base-64 encoded X.509 (.CER)

Save certificate as cer file and move it to linux machine

Exporting Trusted Root Certification authority (CA) certificate

In case you’re using intermediate CA (as in my case), you need to export Trusted Root certification authority certificate also, again, in Computer certificate store, expand Trusted root certification authorities-click Certificates-right click om Root certificate-export

Export in same way as in previous steps

Testing LDAPS connection – Windows

Before moving to linux, let’s first test LDAP over SSL connection.

On Domain controler from command prompt, type ldp.exe, click on Connection tab-Connect..

Type DNS name, port 636, check SSL and click OK

If all is OK, connection should be sucessfull

ld = ldap_sslinit("dc.example.local", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to dc.example.local.
Retrieving base DSA information…
Getting 1 entries:

Testing LDAPS connection – Linux

Certification authority certificate is exported to /etc/pki/tls/certs/issuingca.cer,domain controller certificate is exported to /etc/pki/tls/certs/dc.cer and trusted root CA to /etc/pki/tls/certs/ca.cer

Add CA Root and issuing CA certs to Linux (CentOS) ca store

cp /etc/pki/tls/certs/issuingca.cer /etc/pki/ca-trust/source/anchors
cp /etc/pki/tls/certs/ca.cer /etc/pki/ca-trust/source/anchors
update-ca-trust enable
update-ca-trust extract

# verify:
openssl verify /etc/pki/ca-trust/source/anchors/issuingca.cer
openssl verify /etc/pki/ca-trust/source/anchors/ca.cer

Test connection:

openssl s_client -connect test.local:636 -CAfile /etc/pki/tls/certs/ca.cer

CONNECTED(00000004)                                                                                                                                         
depth=2 CN =  CA-ROOT
verify return:1
depth=1 DC = local, DC = test, CN = CA
verify return:1
depth=0 CN = dc.test.local
verify return:1
---
Certificate chain
 0 s:CN = dc.test.local
   i:DC = local, DC = test, CN = CA
 1 s:DC = local, DC = test, CN = CA
   i:CN = CA-ROOT
---
Server certificate
-----BEGIN CERTIFICATE-----

Apache – configuring LDAPS authentication

cat /etc/http/conf.d/ssl.conf

LDAPTrustedMode SSL

LDAPTrustedGlobalCert CERT_BASE64 /etc/pki/tls/certs/ca.cer

<Directory "/var/www/cgi-bin">

    LDAPTrustedClientCert CERT_BASE64 /etc/pki/tls/certs/dc.cer
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
    AuthType Basic
    AuthName "login to continue"
    AuthBasicProvider ldap
    AuthLDAPBindAuthoritative off
    AuthLDAPURL "ldaps://test.local:636/dc=test,dc=local?sAMAccountName
    AuthLDAPBindDN "bindtest@test.local"
    AuthLDAPBindPassword "pass"
    require valid-user

</Directory>

Advertisement