| Yubico Forum https://forum.yubico.com/ |
|
| [Question] What ldap certificate for Secure LDAP import? https://forum.yubico.com/viewtopic.php?f=29&t=1213 |
Page 1 of 1 |
| Author: | JordanAutomations [ Thu Oct 24, 2013 8:23 pm ] |
| Post subject: | [Question] What ldap certificate for Secure LDAP import? |
I have standard ldap user import working against either of my domain controllers: dc1.my.domain.com or dc2.my.domain.com. I'm planning on putting dc1.my.domain.com in for primary and dc2.my.domain.com for backup ldap/ad server. I'm wanting to implement secure ldap, and I see I need to provide a ldap certificate when I enable it. I'm not quite sure what I should be putting in here. Would it be the public certificate for dc1.my.domain.com in pem format? If I use DC1's cert, then isn't it going to fail if it attempts to use DC2? Can I sprovide the public key that signed both DC1 and DC2 so that it can trust either? |
|
| Author: | samir [ Tue Oct 29, 2013 12:45 pm ] |
| Post subject: | Re: [Question] What ldap certificate for Secure LDAP import? |
Hello, With an assumption you are using a CA chain, we recommend you to please follow the steps below to integrate the AD with your YubiRADIUS setup: Please put the the following entries to the "LDAP Certificate" text box under "Users Import" tab: We recommend you please extract the full certificate string starting from "-------BEGIN CERTIFICATE----------" tag and ending with "--------END CERTIFICATE---------" tag. Also make the following changes to /etc/ldap/ldap.conf file. Please comment the following lines : #TLS_CACERTDIR /etc/ssl/certs Remove comment from the follwing line: TLS_CACERTDIR /etc/ssl/yubico-RoP Test the YubiRADIUS by using following steps: Go to YubiRADIUS >> create new domain >> select that domain >> click on "User Import" tab >> select the "Use Secure Connection option" to "Yes" >> enter the extracted certificate in "Ldap certificate" field >> enter the remaining credentials on that page >> click on "Import Users" button. FYI, You can check whether the SSL connection is working and see what is happening by issuing the command: $ openssl s_client -connect <ip>:636 -CApath /etc/ssl/certs To test whether the SSL connection is working correctly with LDAP, try the following command: $ ldapsearch -x -H ldaps://ads.domain.com -b <BASEDN> -D <binddn> -w <password> If ldapsearch fails, while the s_client test returns with 'Verify return code 0 (ok)', please make sure that the URL you are connecting with after the -H option contains the exact same hostname as is specified behind CN= in the output of s_client (at the very beginning of the output from s_client). Hope this helps. Thanks and best regards, Samir. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|