Post-publish follow-up: I have now turned this into a multi-part series with additional tips and tricks. Please see part 2, part 3, part 4, and part 5.
Active Directory (AD) is a fact of life. There, I said it. And as a predominantly Linux-based consultant, much of my job is often dancing around the periphery of the Microsoft world, making Linuxy things work with Windowsy things. So, dance I shall…
Often I find myself in the position of setting up a Linux-based service (like an Apache-based service, for instance) that needs to make LDAP calls to somebody’s AD userbase. And um… “…plaintext is bad, m’kay…?”
So setting up a Linux-based service to make LDAPS calls (that means encrypted LDAP, by the way) to an AD server has a kind-of strange “gotcha” at first, since AD itself is not actually set up out of the box to service LDAP over SSL/TLS correctly in the first place. You have to make it work before you can query it.
To that end, herein I will provide the steps necessary to get that encrypted LDAPS working on AD; and since this is a Linuxy blog, we’ll call to it and test it from my Opensuse laptop. However, these are pretty standard commands that should work on any distro. Let’s get to it….
First, you must get the AD Root CA cert. If you’re like most people, the AD CA is a private/internal one (not a public one from a big-time vendor like Verisign, Thawte, etc.).
Verify/install the Certificate Server “Role” in AD on the DC if it is not there already. If you have to install the role/service for the first time, a reboot will be necessary (mandatory actually, though it does not tell you) to cause server certificate to be requested/generated/installed. Then, you need to export the Root CA certificate. Here’s how to do that:
- Click Start, Administrative Tools, Certification Authority
- Right-click on your CA, and select Properties
- In the CA Properties window, click on View Certificate
- In the Certificate window, click the Details tab and click Copy to File
- In the Certificate Export Wizard window, click Next
- Select Base-64 encoded X.509 (.CER), and click Next
- Enter the export name (e.g., c:\corpRootCa.cer), and click Next
- Click Finish
- Now copy certificate to the Linux server using whatever method you please (samba share, filezilla, etc.), for example to
/home/jpavlov/RootCerts/corpRootCa.cer
Second, you have to edit the ldap configuration file on your Linux box, so the ldapsearch tool knows how to behave:
vi /etc/openldap/ldap.conf
…and add this line to match where you stored the CA cert in step 9 above:
TLS_CACERT /home/jpavlov/RootCerts/corpRootCa.cer
…there are other lines/options you can add, but this is all you need to get it working. Also, you can only have one active TLS_CACERT
statement in the file at a time, so if you plan to use it with other CAs, make sure to comment the others out for now.
Third, make sure the LDAP server name is resolvable. The hostname presented in the subject certificate must MATCH the name you use in the query; therefore, it obviously must be resolvable in order to work. If you have all the relevant hostnames in DNS (as you might in a standard AD environment), you can move on to the next step. For me, I’m not using DNS in this case, so I edit the hosts file. For example:
vi /etc/hosts
10.1.2.3 dc01.corp.com
Finally, make the query! Remember, I repeat, that the hostname you query *must* match the certificate subject. Here’s an example:
ldapsearch -x -H ldaps://dc01.corp.com -b dc=corp,dc=com -D "cn=Administrator,cn=Users,dc=corp,dc=com" -W "mail=*" mail
…and that should do it. That’s enough to get you started. But I think that in the coming weeks I’ll toss in a few more caveats and goodies about making LDAP/LDAPS calls to AD, since I can almost read your mind right now and anticipate the next questions you have, and the next limits/problems you’ll run into…
😉
This works great!
I just wanted you to know this was very helpful to me.
Hallo You really did good work pronouncing how to do it!
Thanks – saved me a lot of time!
Good information but I think you made a big assumption that I have access to login to an AD DC server. Most organizations that I have seen will not let folks login to a DC. Is there some other way to obtain the Root CA ?
@Joe – Not to sound cheeky… But I can’t imagine a (legitimate) scenario where you’d need to do LDAPS queries against a directory without IT department involvement. If you are not on the IT department staff directly, I’d recommend you make a request (help desk ticket etc.) for it.
Thanks it worked!