Yubico Forum ...visit our web-store at 2013-10-29T12:45:08+01:00 https://forum.yubico.com/feed.php?f=29&t=1213 2013-10-29T12:45:08+01:00 2013-10-29T12:45:08+01:00 https://forum.yubico.com/viewtopic.php?t=1213&p=4564#p4564 <![CDATA[Re: [Question] What ldap certificate for Secure LDAP import?]]>
With an assumption you are using a CA chain, we recommend you to please follow the steps below to integrate the AD with your YubiRADIUS setup:

Please put the the following entries to the "LDAP Certificate" text box under "Users Import" tab:

We recommend you please extract the full certificate string starting from "-------BEGIN CERTIFICATE----------" tag and ending with "--------END CERTIFICATE---------" tag.

Also make the following changes to /etc/ldap/ldap.conf file.

Please comment the following lines :

#TLS_CACERTDIR /etc/ssl/certs

Remove comment from the follwing line:

TLS_CACERTDIR /etc/ssl/yubico-RoP

Test the YubiRADIUS by using following steps:

Go to YubiRADIUS >> create new domain >> select that domain >> click on "User Import" tab >> select the "Use Secure Connection option" to "Yes" >> enter the extracted certificate in "Ldap certificate" field >> enter the remaining credentials on that page >> click on "Import Users" button.

FYI,
You can check whether the SSL connection is working and see what is happening by issuing the command:
$ openssl s_client -connect <ip>:636 -CApath /etc/ssl/certs
To test whether the SSL connection is working correctly with LDAP, try the following command:
$ ldapsearch -x -H ldaps://ads.domain.com -b <BASEDN> -D <binddn> -w <password>
If ldapsearch fails, while the s_client test returns with 'Verify return code 0 (ok)', please make sure that the URL you are connecting with after the -H option contains the exact same hostname as is specified behind CN= in the output of s_client (at the very beginning of the output from s_client).

Hope this helps.

Thanks and best regards,
Samir.

Statistics: Posted by samir — Tue Oct 29, 2013 12:45 pm

]]> 2013-10-24T20:23:28+01:00 2013-10-24T20:23:28+01:00 https://forum.yubico.com/viewtopic.php?t=1213&p=4541#p4541 <![CDATA[[Question] What ldap certificate for Secure LDAP import?]]>
I'm wanting to implement secure ldap, and I see I need to provide a ldap certificate when I enable it. I'm not quite sure what I should be putting in here. Would it be the public certificate for dc1.my.domain.com in pem format? If I use DC1's cert, then isn't it going to fail if it attempts to use DC2? Can I sprovide the public key that signed both DC1 and DC2 so that it can trust either?

Statistics: Posted by JordanAutomations — Thu Oct 24, 2013 8:23 pm

]]>