[Auth_ldap] Auth_Ldap and Active Directory with TLS/SSL

Aaron Smith Aaron.Smith at kzoo.edu
Wed Oct 11 10:38:58 PDT 2006 

Ok.  I think I might have made at least SOME progress on this. I added
the patch that Andrew McAllister added to allow Openldap to connect to
an LDAPS:// URL and recompiled it.  Now, when attempting to use SSL, I
get an error I the apache log file that says:
Could not connect to LDAP server: No such file or directory

If I don't use SSL, and connect to port 3268, it works fine.  My gut
says this is a certificate problem and I suspect that the "file or
directory" it's looking for is the CA certificate for my domain.  I put
a copy of this in /etc/certs and then put the following in openldap's
ldap.conf:

TLS_REQCERT never
TLS_CACERT /etc/certs/sandbox-ca-B64.cer
TLS_CACERTDIR /etc/certs

I'm currently authenticating to a domain controller on a test domain and
didn't do anything to "setup" TLS/SSL on the Domain controller.  I've
read some instructions about adding certificate requests into Group
Policy which will "turn on" SSL and TSL and cause the servers to start
listening to ports 636 and 3269, however I didn't do this and the server
is ALREADY listening to those ports.....?  I did install Certificate
Services so maybe that gets set up when you do that?

I know this is sounding like more of a windows question rather than
Auth_Ldap but I thought maybe someone on the list had run in to this
issue.



--------------------------------------------------------------------
Aaron Smith                Aaron.Smith at kzoo.edu
System Administrator   (269) 337-7496
Kalamazoo College
 

-----Original Message-----
From: McAllister, Andrew [mailto:McAllisterA at umsystem.edu] 
Sent: Tuesday, October 10, 2006 11:38 AM
To: Aaron Smith
Subject: RE: [Auth_ldap] Auth_Ldap and Active Directory with TLS/SSL

I believe it uses 3269 for TLS

Andy

> -----Original Message-----
> From: auth_ldap-bounces at rudedog.org 
> [mailto:auth_ldap-bounces at rudedog.org] On Behalf Of Aaron Smith
> Sent: Tuesday, October 10, 2006 9:46 AM
> To: auth_ldap at rudedog.org
> Subject: Re: [Auth_ldap] Auth_Ldap and Active Directory with TLS/SSL
> 
> After I sent my last message, I found the problem with the 
> "Operations Error" with Server 2003, had to point auth_ldap 
> to port 3268.  Still having trouble with TLS though.  Does 
> the AD server use a different port for TLS connections?  I'll 
> have to google that...
> 
>  
> 
>  
> 
> --------------------------------------------------------------------
> 
> Aaron Smith                Aaron.Smith at kzoo.edu
> 
> System Administrator   (269) 337-7496
> 
> Kalamazoo College
> 
>  
> 
>  
> 
>

More information about the Auth_ldap mailing list