{"id":635,"date":"2010-09-06T03:11:47","date_gmt":"2010-09-06T08:11:47","guid":{"rendered":"http:\/\/yourLinuxGuy.com\/?p=635"},"modified":"2010-10-23T22:43:49","modified_gmt":"2010-10-24T03:43:49","slug":"how-to-do-ldaps-queries-from-linux-to-active-directory","status":"publish","type":"post","link":"https:\/\/yourLinuxGuy.com\/?p=635","title":{"rendered":"How to do LDAPS queries from Linux to Active Directory"},"content":{"rendered":"<p><em>Post-publish follow-up:\u00a0 I have now turned this into a multi-part series with additional tips and tricks.\u00a0 Please see <a title=\"http:\/\/yourlinuxguy.com\/?p=649\" href=\"http:\/\/yourlinuxguy.com\/?p=649\" target=\"_blank\">part 2<\/a>, <a title=\"http:\/\/yourlinuxguy.com\/?p=659\" href=\"http:\/\/yourlinuxguy.com\/?p=659\" target=\"_blank\">part 3<\/a>, <a title=\"http:\/\/yourlinuxguy.com\/?p=661\" href=\"http:\/\/yourlinuxguy.com\/?p=661\" target=\"_blank\">part 4<\/a>, and <a title=\"http:\/\/yourlinuxguy.com\/?p=663\" href=\"http:\/\/yourlinuxguy.com\/?p=663\" target=\"_blank\">part 5<\/a>.<\/em><\/p>\n<p>Active Directory (AD) is a fact of life.\u00a0 There, I said it.\u00a0 And as a predominantly Linux-based consultant, much of my job is often dancing around the periphery of the Microsoft world, making <em>Linuxy<\/em> things work with <em>Windowsy<\/em> things.\u00a0 So, dance I shall&#8230;<\/p>\n<p>Often I find myself in the position of setting up a Linux-based service (like an Apache-based service, for instance) that needs to make LDAP calls to somebody&#8217;s AD userbase.\u00a0 And um&#8230; &#8220;&#8230;plaintext is bad, m&#8217;kay&#8230;?&#8221;<\/p>\n<p>So setting up a Linux-based service to make LDAPS calls (that means encrypted LDAP, by the way) to an AD server has a kind-of strange &#8220;gotcha&#8221; at first, since AD itself is not actually set up out of the box to service LDAP over SSL\/TLS correctly in the first place.  You have to make it work before you can query it.<\/p>\n<p>To that end, herein I will provide the steps necessary to get that encrypted LDAPS working on AD; and since this is a <em>Linuxy<\/em> blog, we&#8217;ll call to it and test it from my Opensuse laptop.\u00a0 However, these are pretty standard commands that should work on any distro.\u00a0 Let&#8217;s get to it&#8230;.<\/p>\n<p>First, you must get the AD Root CA cert.\u00a0 If you&#8217;re like most people, the AD CA is a private\/internal one (not a public one from a big-time vendor like Verisign, Thawte, etc.).<\/p>\n<p>Verify\/install the Certificate Server &#8220;Role&#8221; in AD\u00a0on the DC if it is not there already.\u00a0 If you have to install the role\/service for the first time, a reboot will be necessary (mandatory actually, though it does not tell you) to cause server certificate to be requested\/generated\/installed.\u00a0 Then, you need to export the Root CA certificate.\u00a0 Here&#8217;s how to do that:<\/p>\n<ol>\n<li> Click Start, Administrative Tools, Certification Authority<\/li>\n<li>Right-click on your CA, and select Properties<\/li>\n<li>In the CA Properties window, click on View Certificate<\/li>\n<li>In the Certificate window, click the Details tab and click Copy to File<\/li>\n<li>In the Certificate Export Wizard window, click Next<\/li>\n<li>Select Base-64 encoded X.509 (.CER), and click Next<\/li>\n<li>Enter the export name (e.g., c:\\corpRootCa.cer), and click Next<\/li>\n<li>Click Finish<\/li>\n<li>Now copy certificate to the Linux server using whatever method you please (samba share, filezilla, etc.), for example to <code>\/home\/jpavlov\/RootCerts\/corpRootCa.cer<\/code><\/li>\n<\/ol>\n<p>Second, you have to edit the ldap configuration file on your Linux box, so the ldapsearch tool knows how to behave:<\/p>\n<pre><code>vi \/etc\/openldap\/ldap.conf<\/code><\/pre>\n<p>&#8230;and add this line to match where you stored the CA cert in step 9 above:<\/p>\n<pre><code>TLS_CACERT \/home\/jpavlov\/RootCerts\/corpRootCa.cer<\/code><\/pre>\n<p>&#8230;there are other lines\/options you can add, but this is all you need to get it working.\u00a0 Also, you can only have one active <code>TLS_CACERT<\/code> statement in the file at a time, so if you plan to use it with other CAs, make sure to comment the others out for now.<\/p>\n<p>Third, make sure the LDAP server name is resolvable.\u00a0 The hostname presented in the subject certificate must MATCH the name you use in the query; therefore, it obviously must be resolvable in order to work.\u00a0 If you have all the relevant hostnames in DNS (as you might in a standard AD environment), you can move on to the next step.\u00a0 For me, I&#8217;m not using DNS in this case, so I edit the hosts file.\u00a0 For example:<\/p>\n<pre><code>vi \/etc\/hosts\r\n10.1.2.3 dc01.corp.com<\/code><\/pre>\n<p>Finally, make the query!\u00a0 Remember, <em>I repeat<\/em>, that the hostname you query *must* match the certificate subject.  Here&#8217;s an example:<\/p>\n<pre><code>ldapsearch -x -H ldaps:\/\/dc01.corp.com -b dc=corp,dc=com -D \"cn=Administrator,cn=Users,dc=corp,dc=com\" -W \"mail=*\" mail<\/code><\/pre>\n<p>&#8230;and that should do it.\u00a0 That&#8217;s enough to get you started.\u00a0 But I think that in the coming weeks I&#8217;ll toss in a few more caveats and goodies about making LDAP\/LDAPS calls to AD, since I can almost read your mind right now and anticipate the next questions you have, and the next limits\/problems you&#8217;ll run into&#8230;<\/p>\n<p>\ud83d\ude09<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Post-publish follow-up:\u00a0 I have now turned this into a multi-part series with additional tips and tricks.\u00a0 Please see part 2, part 3, part 4, and part 5. Active Directory (AD) is a fact of life.\u00a0 There, I said it.\u00a0 And&#8230;<br \/><a class=\"read-more-button\" href=\"https:\/\/yourLinuxGuy.com\/?p=635\">Read more<\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[12,99,47],"tags":[],"class_list":["post-635","post","type-post","status-publish","format-standard","hentry","category-advanced","category-ldapsearch","category-linuxgeneral"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pnjn1-af","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/posts\/635","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=635"}],"version-history":[{"count":11,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/posts\/635\/revisions"}],"predecessor-version":[{"id":651,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=\/wp\/v2\/posts\/635\/revisions\/651"}],"wp:attachment":[{"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=635"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=635"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/yourLinuxGuy.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=635"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}