Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:40 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Thu Oct 24, 2013 8:23 pm 
Offline

Joined: Thu Oct 24, 2013 8:05 pm
Posts: 1
I have standard ldap user import working against either of my domain controllers: dc1.my.domain.com or dc2.my.domain.com. I'm planning on putting dc1.my.domain.com in for primary and dc2.my.domain.com for backup ldap/ad server.

I'm wanting to implement secure ldap, and I see I need to provide a ldap certificate when I enable it. I'm not quite sure what I should be putting in here. Would it be the public certificate for dc1.my.domain.com in pem format? If I use DC1's cert, then isn't it going to fail if it attempts to use DC2? Can I sprovide the public key that signed both DC1 and DC2 so that it can trust either?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Oct 29, 2013 12:45 pm 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
Hello,

With an assumption you are using a CA chain, we recommend you to please follow the steps below to integrate the AD with your YubiRADIUS setup:

Please put the the following entries to the "LDAP Certificate" text box under "Users Import" tab:

We recommend you please extract the full certificate string starting from "-------BEGIN CERTIFICATE----------" tag and ending with "--------END CERTIFICATE---------" tag.

Also make the following changes to /etc/ldap/ldap.conf file.

Please comment the following lines :

#TLS_CACERTDIR /etc/ssl/certs

Remove comment from the follwing line:

TLS_CACERTDIR /etc/ssl/yubico-RoP

Test the YubiRADIUS by using following steps:

Go to YubiRADIUS >> create new domain >> select that domain >> click on "User Import" tab >> select the "Use Secure Connection option" to "Yes" >> enter the extracted certificate in "Ldap certificate" field >> enter the remaining credentials on that page >> click on "Import Users" button.

FYI,
You can check whether the SSL connection is working and see what is happening by issuing the command:
$ openssl s_client -connect <ip>:636 -CApath /etc/ssl/certs
To test whether the SSL connection is working correctly with LDAP, try the following command:
$ ldapsearch -x -H ldaps://ads.domain.com -b <BASEDN> -D <binddn> -w <password>
If ldapsearch fails, while the s_client test returns with 'Verify return code 0 (ok)', please make sure that the URL you are connecting with after the -H option contains the exact same hostname as is specified behind CN= in the output of s_client (at the very beginning of the output from s_client).

Hope this helps.

Thanks and best regards,
Samir.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group