Comments on: LDAP Signing in AD Integration Situations http://blog.scottlowe.org/2008/03/17/ldap-signing-in-ad-integration-situations/ The weblog of an IT pro specializing in virtualization, storage, and servers Wed, 08 Feb 2012 17:13:47 +0000 hourly 1 http://wordpress.org/?v= By: steve http://blog.scottlowe.org/2008/03/17/ldap-signing-in-ad-integration-situations/comment-page-1/#comment-43096 steve Tue, 30 Dec 2008 15:54:36 +0000 http://blog.scottlowe.org/2008/03/17/ldap-signing-in-ad-integration-situations/#comment-43096 Scott, If AD is configured to use LDAP signing, you will need to configure Linux to do the LDAP bind over TLS. This means that you will need to setup the AD Domain Controller as a CA (or purchase server certs from Verisign), create a server certificate, export the certificate in p7b format, transfer the cert to the linux server directory /etc/ssl/certs, ensure the cert is world readable, modify /etc/ldap.conf to use TLS. /etc/ldap.conf mods: URI ldaps://ad-server-1 ldaps://ad-server-2 tls_cacertdir /etc/ssl/certs tls_cacertfile /etc/ssl/certs/ tls_reqcert never Note1: Use the openssl client to validate the certificate openssl s_client -connect :636 -CAfile /etc/ssl/certs/ Note2: Use ldapsearch to validate the bind over TLS Modify /etc/openldap/ldap.conf TLS_CACERTDIR /etc/ssl/certs TLS_CACERT /etc/ssl/certs/ TLS_REQCERT never Validate ldapsearch over TLS /usr/bin/ldapsearch -H ldaps:// -x -D $BINDDN -w $BINDPWD -b $BASE -s sub cn=* Scott,

If AD is configured to use LDAP signing, you will need to configure Linux to do the LDAP bind over TLS. This means that you will need to setup the AD Domain Controller as a CA (or purchase server certs from Verisign), create a server certificate, export the certificate in p7b format, transfer the cert to the linux server directory /etc/ssl/certs, ensure the cert is world readable, modify /etc/ldap.conf to use TLS.

/etc/ldap.conf mods:
URI ldaps://ad-server-1 ldaps://ad-server-2
tls_cacertdir /etc/ssl/certs
tls_cacertfile /etc/ssl/certs/
tls_reqcert never

Note1: Use the openssl client to validate the certificate
openssl s_client -connect :636 -CAfile /etc/ssl/certs/

Note2: Use ldapsearch to validate the bind over TLS
Modify /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/ssl/certs
TLS_CACERT /etc/ssl/certs/
TLS_REQCERT never

Validate ldapsearch over TLS
/usr/bin/ldapsearch -H ldaps:// -x -D $BINDDN -w $BINDPWD -b $BASE -s sub cn=*

]]> By: Dan Jaap http://blog.scottlowe.org/2008/03/17/ldap-signing-in-ad-integration-situations/comment-page-1/#comment-42068 Dan Jaap Tue, 21 Oct 2008 19:38:38 +0000 http://blog.scottlowe.org/2008/03/17/ldap-signing-in-ad-integration-situations/#comment-42068 Hi Scott, ...more on my post from above. I tried everything that i could think of and decided that there were too many variables to even begin. so i isolated my issue to the linux side. I installed a new linux server with RHEL 4.4 (just in case RHEL 5 was the problem). I followed your steps exactly. I have the same behavior on my RHEL4 box as my RHEL 5 box.....kerberos works fine, but LDAP does not....the command 'getent passwd ldapBind' returns nothing and there is nothing in /var/log/messages either. So i ruled this out as a problem with the OS and decided to try to isolate the windows side. I installed and configured a new domain controller.....with all defaults. Then i reconfigured everything on the linux servers to point to the new domain......same results. i am totally at a loss. What's even more frustrating for me is that i have had this configuration working about a year ago in a test environment....i had to wipe out the test environment because my priorities were shifted to a different project....and of course i didn't document any of my steps. anyway, i could really use some suggestions..... do you think that this is an LDAP issue or do you think it is an Active Directory issue? DNS? Hi Scott,
…more on my post from above. I tried everything that i could think of and decided that there were too many variables to even begin. so i isolated my issue to the linux side. I installed a new linux server with RHEL 4.4 (just in case RHEL 5 was the problem). I followed your steps exactly. I have the same behavior on my RHEL4 box as my RHEL 5 box…..kerberos works fine, but LDAP does not….the command ‘getent passwd ldapBind’ returns nothing and there is nothing in /var/log/messages either. So i ruled this out as a problem with the OS and decided to try to isolate the windows side. I installed and configured a new domain controller…..with all defaults. Then i reconfigured everything on the linux servers to point to the new domain……same results. i am totally at a loss. What’s even more frustrating for me is that i have had this configuration working about a year ago in a test environment….i had to wipe out the test environment because my priorities were shifted to a different project….and of course i didn’t document any of my steps. anyway, i could really use some suggestions…..
do you think that this is an LDAP issue or do you think it is an Active Directory issue?
DNS?

]]> By: Dan Jaap http://blog.scottlowe.org/2008/03/17/ldap-signing-in-ad-integration-situations/comment-page-1/#comment-41992 Dan Jaap Fri, 17 Oct 2008 20:32:35 +0000 http://blog.scottlowe.org/2008/03/17/ldap-signing-in-ad-integration-situations/#comment-41992 Hi Scott, I really appreciate your blog....there is a lot of great info on it. I'm trying to implement AD authentication (Windows 2003 R2) with my RHEL 5.2 test box. I'm having this exact same issue....Kerberos works fine, but LDAP will not. I have verified (with group policy results wizard) that the Domain Controller: LDAP server signing requirement is set to "NONE". Any suggestions? Hi Scott,
I really appreciate your blog….there is a lot of great info on it.

I’m trying to implement AD authentication (Windows 2003 R2) with my RHEL 5.2 test box. I’m having this exact same issue….Kerberos works fine, but LDAP will not. I have verified (with group policy results wizard) that the Domain Controller: LDAP server signing requirement is set to “NONE”.

Any suggestions?

]]> By: slowe http://blog.scottlowe.org/2008/03/17/ldap-signing-in-ad-integration-situations/comment-page-1/#comment-36403 slowe Wed, 19 Mar 2008 02:28:19 +0000 http://blog.scottlowe.org/2008/03/17/ldap-signing-in-ad-integration-situations/#comment-36403 Ron, Sort of. That page does clearly state that requiring LDAP signing will break LDAP simple bind, which is what nss_ldap does from the UNIX/Linux side. So that page reinforces the behavior that Jeffrey was seeing--with LDAP signing turned on, the UNIX/Linux clients can't bind to LDAP and they don't work. Ron,

Sort of. That page does clearly state that requiring LDAP signing will break LDAP simple bind, which is what nss_ldap does from the UNIX/Linux side. So that page reinforces the behavior that Jeffrey was seeing–with LDAP signing turned on, the UNIX/Linux clients can’t bind to LDAP and they don’t work.

]]> By: Ron Terren http://blog.scottlowe.org/2008/03/17/ldap-signing-in-ad-integration-situations/comment-page-1/#comment-36398 Ron Terren Wed, 19 Mar 2008 01:04:32 +0000 http://blog.scottlowe.org/2008/03/17/ldap-signing-in-ad-integration-situations/#comment-36398 Scott, Is this at a all helpful? http://technet2.microsoft.com/windowsserver/en/library/56044016-3123-4859-8fd9-c5a461a1c5c81033.mspx?mfr=true Ron Scott,

Is this at a all helpful?

http://technet2.microsoft.com/windowsserver/en/library/56044016-3123-4859-8fd9-c5a461a1c5c81033.mspx?mfr=true

Ron

]]>