How to do LDAPS queries from Linux to Active Directory

Post-publish follow-up:  I have now turned this into a multi-part series with additional tips and tricks.  Please see part 2, part 3, part 4, and part 5.

Active Directory (AD) is a fact of life.  There, I said it.  And as a predominantly Linux-based consultant, much of my job is often dancing around the periphery of the Microsoft world, making Linuxy things work with Windowsy things.  So, dance I shall…

Often I find myself in the position of setting up a Linux-based service (like an Apache-based service, for instance) that needs to make LDAP calls to somebody’s AD userbase.  And um… “…plaintext is bad, m’kay…?”

So setting up a Linux-based service to make LDAPS calls (that means encrypted LDAP, by the way) to an AD server has a kind-of strange “gotcha” at first, since AD itself is not actually set up out of the box to service LDAP over SSL/TLS correctly in the first place. You have to make it work before you can query it.

To that end, herein I will provide the steps necessary to get that encrypted LDAPS working on AD; and since this is a Linuxy blog, we’ll call to it and test it from my Opensuse laptop.  However, these are pretty standard commands that should work on any distro.  Let’s get to it….

First, you must get the AD Root CA cert.  If you’re like most people, the AD CA is a private/internal one (not a public one from a big-time vendor like Verisign, Thawte, etc.).

Verify/install the Certificate Server “Role” in AD on the DC if it is not there already.  If you have to install the role/service for the first time, a reboot will be necessary (mandatory actually, though it does not tell you) to cause server certificate to be requested/generated/installed.  Then, you need to export the Root CA certificate.  Here’s how to do that:

  1. Click Start, Administrative Tools, Certification Authority
  2. Right-click on your CA, and select Properties
  3. In the CA Properties window, click on View Certificate
  4. In the Certificate window, click the Details tab and click Copy to File
  5. In the Certificate Export Wizard window, click Next
  6. Select Base-64 encoded X.509 (.CER), and click Next
  7. Enter the export name (e.g., c:\corpRootCa.cer), and click Next
  8. Click Finish
  9. Now copy certificate to the Linux server using whatever method you please (samba share, filezilla, etc.), for example to /home/jpavlov/RootCerts/corpRootCa.cer

Second, you have to edit the ldap configuration file on your Linux box, so the ldapsearch tool knows how to behave:

vi /etc/openldap/ldap.conf

…and add this line to match where you stored the CA cert in step 9 above:

TLS_CACERT /home/jpavlov/RootCerts/corpRootCa.cer

…there are other lines/options you can add, but this is all you need to get it working.  Also, you can only have one active TLS_CACERT statement in the file at a time, so if you plan to use it with other CAs, make sure to comment the others out for now.

Third, make sure the LDAP server name is resolvable.  The hostname presented in the subject certificate must MATCH the name you use in the query; therefore, it obviously must be resolvable in order to work.  If you have all the relevant hostnames in DNS (as you might in a standard AD environment), you can move on to the next step.  For me, I’m not using DNS in this case, so I edit the hosts file.  For example:

vi /etc/hosts
10.1.2.3 dc01.corp.com

Finally, make the query!  Remember, I repeat, that the hostname you query *must* match the certificate subject. Here’s an example:

ldapsearch -x -H ldaps://dc01.corp.com -b dc=corp,dc=com -D "cn=Administrator,cn=Users,dc=corp,dc=com" -W "mail=*" mail

…and that should do it.  That’s enough to get you started.  But I think that in the coming weeks I’ll toss in a few more caveats and goodies about making LDAP/LDAPS calls to AD, since I can almost read your mind right now and anticipate the next questions you have, and the next limits/problems you’ll run into…

😉

1 Comment

  1. Jethro Bodine

    This works great!

Leave a Comment

Your email address will not be published. Required fields are marked *