Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

To connect DualShield to Active Directory via LDAP over SSL (LDAPS), you must tell your DualShield server to trust your AD server. In other words, you must import the CA certificate that was used to sign the server certificate of your AD server into the keystore of your DualShield server as a trusted root certificate.

Configure Active Directory Authentication with LDAP over SSL

First of all, make sure that your AD server is fully configured to accept SSL connection. To verify that your AD server is enabled with LDAPS connection, you can run a Microsoft support tool LDP.EXE on your AD server.  Open command prompt and type ldp and press return:

Image Added

The LDP window will popup:

Image Added


Connection→Connect:


Image Added


Enter the server name, and connection port as "636".

Image Added

You should see the following output:

Image Modified      

If your AD server is not yet configured to accept SSL connection, then you must first enable the SSL connection. The article below has detailed instructions:

...

...

It might also be useful to read the following Microsoft Articles:

...

The CA used to sign the LDAPS certificate is not necessary to be the one of your Certification Authority, so the safe way to locate the CA is to follow the steps below.

First, you need to find the SSL certificate of the AD server. There are 2 ways:


Expand
titleUsing MMC Tool
  • Open Local Computer Certificate Console on your DC,
  • Locate the LDAPS certificate, which should include the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier.

Image Modified

Normally it has "DomainController" as its Certificate Template Name.

The Active Directory fully qualified domain name of the domain controller (for example, povm2k3svr.parkoffice.com) must appear in one of the following places:

    • The Common Name (CN) in the Subject field.
    • DNS entry in the Subject Alternative Name extension.

Image Modified

Image Modified


Expand
titleUsing OpenSSL Tool

Download openssl  from https://slproweb.com/products/Win32OpenSSL.html and install it. 

Run the following command.

openssl s_client -connect myldapsserver.domain.com:636

Part of the output of this file will be the Base-64 encoded .cer file that was presented for LDAPS. Just cut and paste into notepad beginning at "--Begin Certificate--" through "---End Certificate---" and save as a .cer Double-click on the certificate file and you will now be viewing the certificate presented for LDAPS.

Image Added


Once you have found the SSL certificate of the AD server, double click the certificate, go to the tab "Cetification Path"

In our example, the CA to sign the LDAPS certificate is the highlighted one "ca".

To export the CA certificate:

    • Select the CA certificate, click View Certificate.
      The Certificate dialog box appears.

...

Finally, in DualShield,  modify the LDAP connection of your Identity Source that's connected to your AD server.