Secure LDAP with Active Directory

Microsoft Active Directory Domain Controllers (DCs) support secure LDAP connections on TCP ports 636 (non-global queries) and 3269 (global-catalog queries).

If you have an active Enterprise Root Certificate Authority in your domain, it will sign the domain controller LDAP certificate automatically using the built-in Domain Controller template. All Domain Clients will automatically receive the Enterprise Root CA trust via Group Policy – no special settings should be needed to add this trust for Windows domain member systems using the Microsoft built-in certificate trust store.

I’m not sure how to do this with Windows command-line tools, but you can use the open-source OpenSSL commands to view the certificate and other SSL settings currently in use by your domain controller(s). Here is a sample to get you started testing your DC LDAP certificate from a client with openssl commands. This assumes a Linux-like bash shell environment, but you should be able to run similar tests from any general purpose command shell like PowerShell. Both OpenSSL and Bash are available for Windows with the Cygwin environment if you don’t have a Linux system handy.

# Change these variables to match your DC host and domain name
echo "Q" | openssl s_client -connect $MYFQDN:636  \
  | tee ~/${MYDC}_636.txt
echo "Q" | openssl s_client -connect $MYFQDN:3269 \
  | tee ~/${MYDC}_3269.txt
# The certificate and LDAP server SSL info should be listed in
# the output files ~/*.txt
# Here is some sample output for reference (OpenSSL 1.0.1).
cat ~/${MYDC}_3269.txt
# ================= BEGIN cat OUTPUT ================= 
Certificate chain
 0 s:/
Server certificate
Acceptable client certificate CA names
# ... CA's allowed to issue client certs for this connection ...
SSL handshake has read 4283 bytes and written 441 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: ...
    Master-Key: ...
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1454003841
    Timeout   : 300 (sec)
    Verify return code: ...
# ================= END cat OUTPUT ================= 
# Don't worry if the certificate is not verified by this command.
# That just means your OpenSSL command doesn't have a trust stored
# for the CA that signed your LDAP server cert.

Here are some related articles that might be helpful:

About notesbytom

Keeping technology notes on to free up my mind to solve new problems rather than figuring out the same ones repeatedly :-).
This entry was posted in System Administration and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s