connect to LDAPS AD

Support for security such as Firewalls and securing linux
Post Reply
buromix
Posts: 1
Joined: 2018/04/26 12:18:26

connect to LDAPS AD

Post by buromix » 2018/04/26 12:25:41

What you need to connect to AD by means of LDAPS
ldapsearch -x -b 'dc=domen,dc=loc' '(objectclass=*)'
I get the error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

ldap.conf:
-=-=-=-=-=-=-=
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE dc=domen,dc=loc
URI ldaps://dc.domen.loc:636

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never

#TLS_CACERTDIR /etc/pki/tls/certs
# /etc/openldap/certs

TLS_CACERT /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
TLS_REQCERT never

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
-=-=-=-=-=-=

User avatar
TrevorH
Forum Moderator
Posts: 23669
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: connect to LDAPS AD

Post by TrevorH » 2018/04/26 16:44:20

Does AD listen on port 636 or do you need to talk to port 389 then issue a STARTTLS?
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

hunter86_bg
Posts: 1373
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: connect to LDAPS AD

Post by hunter86_bg » 2018/04/27 14:27:15

Could you give the output of

Code: Select all

 ls -lZ  /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
Also try using ssl to check if your CA is accepted.It should be something similar to this (check the man page for defining your CA file):
'openssl s_client -connect AD_FQDN:AD_PORT --ca-path-switch /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'

It should say connected.

Edit:As far as I remmember ldap certs usually reside in '/etc/openldap/cacerts'

scottro
Forum Moderator
Posts: 2383
Joined: 2007/09/03 21:18:09
Location: NYC
Contact:

Re: connect to LDAPS AD

Post by scottro » 2018/04/27 15:00:37

On a recent install, though default ldap.conf (/etc/openldap/ldap.conf) pointed to /etc/openldap/cacerts, that directory was empty. /etc/openldap/certs had the default certs and switching ldap.conf to point to certs, rather than cacerts, fixed a moderately similar issue for me.
New users should check the FAQ and Read Me First pages

User avatar
TrevorH
Forum Moderator
Posts: 23669
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: connect to LDAPS AD

Post by TrevorH » 2018/04/27 15:18:04

If this is using a self-signed cert then /etc/openldap/certs needs to contain a symlink named after the hash of the cert pointing to the cert file: e.g.

Code: Select all

[root@myldap ~]# ls -la /etc/openldap/certs/
total 188
drwxr-xr-x. 2 root root  4096 Mar 22  2017 .
drwxr-xr-x. 6 root root  4096 Aug 31  2017 ..
lrwxrwxrwx. 1 root root    26 Nov 23  2012 102cda7a.0 -> /etc/openldap/certs/ca.crt
-rw-r--r--. 1 root root  2594 Nov 15  2012 ca.crt
The name of the symlink can be found by running /etc/pki/tls/misc/c_hash /etc/openldap/certs/ca.crt
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply