Linux – Configure CentOS 6.8 client joined to Active Directory to use LDAPS

So I've been able to figure out how to do this finally.

The first task to get this working was to get the Domain Controller configured as a Certification Authority. To do this I followed this video: https://www.youtube.com/watch?v=JFPa_uY8NhY

After I was able to connect to AD on port 636 I had to configure openldap on the CentOS machine to use that port. I figured if I could get ldapsearch to query AD on port 636 then the final step would be to get tac_plus to do the same. To configure openldap all I had to do was edit the /etc/openldap/ldap.conf file.

I modified three fields; BASE, URI, and added the line "TLS_REQCERT allow".

The BASE field was important to get correct. It must the be the proper format and point to where your user accounts are found in AD. Mine was: "CN=users, DC=ent, DC=local".

The URI field was also important to get correct. I used the fully qualified domain name for the server and port number. It ended up being: "ldaps://dc1-ent.ent.local:636".

The "TLS_REQCERT allow" line allows the CentOS machine to request a certificate from the Domain Controller as part of the process of establishing a session with the server. This is similar to how SSH implements it's key exchange algorithm when establishing an SSH session with a remote host.

Then I used the following ldapsearch command to verify it works:

ldapsearch -D "myusername@ent.local" -W -p 636 -h ldaps://dc1-ent.ent.local -b "CN=users, DC=ent, DC=local" -s Sub -x -ZZ "(objectclass=*)" -d1

The -d1 option in the command above allows verbose debug output so I could see the exchange of the server's public key to be used to encrypt the session.

All worked from there on out. I was able to use wireshark to capture the traffic and confirm that an encrypted TLS session was established at the time of authentication. I believe this method of authenticating with AD is known as PEAP. I have not bothered to get EAP-TLS or EAP-TTLS working.