Secure LDAP in an Active Directory Environment

By default, the Microsoft LDAP implementation does not support secure LDAP. To setup secure LDAP using SSL, certificates must be installed on both sides, the LDAP Server and LDAP Client. In this case, the LDAP Server is the domain controller running Active Directory. The LDAP Client is the UMRA software, either the UMRA Console application or the UMRA Service.

The certificates required to run secure LDAP using SSL can be configured in many ways. The concept is always the same:

The Active Directory domain controller uses a special certificate that is issued by a trusted certification authority.
The UMRA software (computer) trusts the certification authority that issues the certificate to the Active Directory domain controller.

Creating the certificate listed in step 1 requires a special procedure, as described in article Q321051. In this document, the same steps are used and described. Also, the procedure to setup a Certification Authority is described.

First, a certificate request is created. Next, a Certification Authority (CA) is setup and the certificate is signed, e.g. issued by the certification authority. Finally, the root certificate of the certification authority is exported and then imported by the computer that runs the UMRA software.

In this procedure the environment used runs Active Directory on Windows 2003 Standard Edition. For Windows 2000, a similar procedure can be used. The Certification Authority is installed on a Windows 2003 domain controller. For other versions, the procedure might be different.

Creating an Active Directory domain controller certificate request

Log on to domain controller

This topic follows the guidelines of article Q321051. Log on to the domain controller (LDAP Server) with an enterprise administrator account.

To create the certificate request, the certreq.exe program is used. The certreq.exe program is part of the Windows installation and requires a text input file to generate a certificate request.

With your favorite ASCII editor (notepad.exe?), create a file with the following contents:

[Version]

Signature="$Windows NT$"

[NewRequest]

Subject = "CN=king.tools4ever.local3"

; replace with the FQDN of the DC

KeySpec = 1

KeyLength = 2048

; Can be 1024, 2048, 4096, 8192, or 16384.

; Larger key sizes are more secure, but have

; a greater impact on performance.

Exportable = TRUE

MachineKeySet = TRUE

SMIME = False

PrivateKeyArchive = FALSE

UserProtected = FALSE

UseExistingKeySet = FALSE

ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

ProviderType = 12

RequestType = PKCS10

KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1

In the file, the entry regarding the subject,

Subject = "CN=king.tools4ever.local3"

must be changed to contain the fully qualified domain name of the Active Directory domain controller that is going to support secure LDAP. Example:

Subject = "CN=OtherServer.mydomain.com"

Save the file to ldapcert.inf. From a command prompt, create the request file with certreq.exe:

certreq -new ldapcert.inf ldapcert.req

A new file is now created: ldapcert.req. This is the base64 encoded request file and it contains something like this:

-----BEGIN NEW CERTIFICATE REQUEST-----

MIIELDCCAxQCAQAwITEfMB0GA1UEAxMWa2luZy50b29sczRldmVyLmxvY2FsMzCC,.............
-----END NEW CERTIFICATE REQUEST-----

You can create a signing request using openssl in lunux with the following command:

openssl req -new -key sftp1-ldap.key > sftp1-ldap-tls.csr

NOTE: the sftp1-ldap.key file was a created self-signed key for this purpose. This was created using this command: openssl genrsa 2048 > sftp1-ldap.key

Creating a Certification Authority

Log on to computer that runs Certification Authority

In this example, Certification Authority is installed on another domain controller running Windows 2003. For other configurations, you are referred to Microsoft documentation for more information on how to setup a Certification Authority.

Log on to the computer with enterprise administrator access rights. Select Start, Control Panel, Add or Remove programs. Click the button Add/Remove windows components. Select entry Certificate Services

Figure 45: Installation of Certificates Services on a Windows 2003 domain controller.

Click Next. When asked, select the option to create a Stand-alone root CA.

Figure 46: Selection of Certification Authority: Stand-alone root CA.

Follow the wizard instructions and specify the name of the Certification Authority.

Figure 47: Specification of the Certification Authority identification information.

Follow the instructions of the wizard. When finished, the certification authority is installed.

Sign the certificate request by the Certification Authority

In this step, the Certification Authority converts the certificate request to a real certificate by signing/issuing the request.

Click Start, All Programs, Administrative Tools, Certification Authority. The MMC shows the Certification Authority snap-in. Select the Certification Authority and select menu option All tasks, Submit new request….

Browse to the file that contains the certificate request ldapcert.req and submit the request. If the computer that runs the LDAP Server and the computer that runs the Certification Authority are not connected, you need to use a diskette or memory stick to access the file.

The request is now processed by the Certification Authority. When ready the request can be selected from the section with Pending Requests.

Figure 48: Issue the submitted certification request.

Select menu option Issue to accept the request. The certificate is then stored in the section Issued Certificates. Select the certificate from the section Issued Certificates and select menu option Open.

Figure 49: Result certificate, issued by the Certification Authority.

Click on the Details tab and select the button Copy to File… to export the certificate to a file. Follow the wizard instructions. When asked, select the format Base-64 encoded binary X.509 (.CER). For the name of the file, select ldapcert.cer. Complete the wizard.

Before the certificate can be installed on the domain controller, the root certificate of the Certification Authority must be installed on the domain controller.

Exporting the root certificate Certification Authority

To export the root certificate, select Certification Authority and select menu option Properties.

Figure 50: Export the root certificate of the Certification Authority.

Click View Certificate, select Details and click on the button Copy to File to export the root certificate of the Certification Authority. For the name of the file, enter LdapRootCA.cer.

Importing the root certificate Certification Authority

Log on to domain controller

On the domain controller that runs Active Directory, you need to install both the root certificate of the Certification Authority and the created certificate.

Log on to the domain controller as an enterprise administrator and start the MMC. (Start, Run, mmc). Add the Certificates snap-in (File, Add/Remove snap-in, click Add and select Certificates). Select the option to manage certificates for the Computer account of the Local Computer.

Navigate to the certificates item Trusted Root Certification Authorities, Certificates and select menu option All Tasks, Import.

Figure 51: Import the root certificate of the Certification Authority on the Active Directory domain controller.

Follow the wizard instructions and import the root certification file LdapRootCA.cer.

When finished, the root certificate of the Certification Authority is installed on the domain controller.

Importing the LDAP Server certificate

Finally, on the domain controller that runs Active Directory, you need to accept the certificate signed by the Certification Authority. From a command prompt, navigate to the directory that contains the certificate ldapcert.cer and issue the following command:

certreq -accept ldapcer.cer

The certificate is now installed. To verify the certificate installation, start the MMC and open the snap-in that manages the certificates on the local computer. In the tree, browse to the location Certificates (Local Computer), Personal, Certificates. A certificate issued to the domain controller should exist.

Figure 52: Verification of the purpose of the certificate.

Select the certificate and choose menu option Properties. The Certificate purposes should show Server Authentication.

To finish the configuration on the domain controller, restart the domain controller.

Setting up the UMRA (LDAP Client) computer

The computer that runs the UMRA software needs to have the root certificate of the Certification Authority installed. To do so, repeat the steps of topic Import root certificate Certification Authority, but this time, import the certificate on the computer that runs the UMRA software.

Verifying secure LDAPS using SSL

The secure LDAP connection can be tested with UMRA or with the Active Directory Administration Tool LDP.EXE, part of the Windows Support Tools. (Windows 2003 only)

Start the tools LDP.EXE from a command prompt in the Windows Support Tools. Select menu option Connection, connect.

Figure 53: Test the LDAP SSL connection using LDP.EXE from the Windows Support Tools.

Specify the name of the LDAP Server, the default SSL port 636 and check the option SSL.

Press OK. When the connection is setup successfully, the window shows the connection information.

Figure 54: Connection information when a successful connection is established.