This document describes 2 approaches on how to set-up domain controllers in AD to listen for SSL-wrapped LDAP connections on port 636; One using the UW-IST certificate authority, the other using Active Directory's built-in certificate services. It also describes what is needed on the client side (in this case, openssl on Linux), to talk to the LDAPS service on a domain controller. This document assumes you are using Windows Server 2003, however I followed instructions from Microsoft for Windows 2000.
http://support.microsoft.com/default.aspx?scid=kb;en-us;321051
dc-hostname.subdomain
in the Subject line to that of your domain controller
[Version] Signature="$Windows NT$" [NewRequest] Subject = "CN=dc-hostname.subdomain.uwaterloo.ca" ; replace with the FQDN of the DC KeySpec = 1 KeyLength = 1024 ; Can be 1024, 2048, 4096, 8192, or 16384. ; Larger key sizes are more secure, but have ; a greater impact on performance. Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication [RequestAttributes] CertificateTemplate=DomainController
wget http://ist.uwaterloo.ca/security/IST-CA/cacert.der
TLS_CACERT full-path-to-cacert.pem
ldapsearch -L -Hldaps://junius.dragonfly.cs.uwaterloo.ca/ -x -W -D "cn=YOUR NAME HERE,CN=Users,dc=dragonfly,dc=cs,dc=uwaterloo,dc=ca" \ -b "dc=dragonfly,dc=cs,dc=uwaterloo,dc=ca" "cn=*" cn
Below are the steps I followed to first get LDAPS working in AD.
You need to be an Enterprise Administrator to do this stuff. I did this in an AD forest containing a single domain with a single domain controller, so YMMV.
Detailed instructions here:
http://www.microsoft.com/windows2000/techinfo/planning/security/casetupsteps.asp
Now that that root CA is created, you should make sure it's there and export it for future use (using openssl on Linux)
Once your certification authority is up, you need to configure the domain controllers to request certificates (automatically). The whole request-issue process is automatic once you make a simple edit to the default domain GPO. This must be done in each domain where certificates are to be distributed. Once the domain controllers have a certificate, LDAPS should start working. There might be other ways of doing this, but this is the most straight forward to me:
When the GPO gets refreshed on the domain controller, you can verify that it's there by running mmc with the Certificates snap-in (Computer account). It should be there under Certificates -> Personal. Another way to verify is to run the Certification Authority utility (aka mmc with the snap-in) to see that the DC certificates are found under Issued Certificates.
You may need to run the following command on the CA server:
certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
Test the SSL connection by running something like:
openssl s_client -CAfile trustedCA.pem -connect junius:636
To tell the openldap client to make use of the trustedCA.pem file, stick the directive
TLS_CACERT full-path-to-trustedCA.pem
in your ldap.conf or user's .ldaprc file.
The final test, is to fire-up Ethereal, and run a query like this:
ldapsearch -L -Hldaps://junius.dragonfly.cs.uwaterloo.ca/ -x -W -D "cn=YOUR NAME HERE,CN=Users,dc=dragonfly,dc=cs,dc=uwaterloo,dc=ca" \ -b "dc=dragonfly,dc=cs,dc=uwaterloo,dc=ca" "cn=*" cn
The result was what I expected, and all Ethereal saw was SSL!
-- JasonTestart - 24 Nov 2005 -- ClaytonTucker - 24 Jan 2008
http://enterprise.linux.com/article.pl?sid=05/10/18/1732231&from=rss has info on doing LDAPS on a Linux host using a self-signed CA.