Linux – ldap is working but not ldaps correctly

centos7ldaplinux

I'm a little lost with ldapsearch…
I have to configure a cloud with AD authentication.

this is working well

 ldapsearch -h server -p 389 -x -D 'admin.test' -w 'xxx' -b 'cn=admin.test,cn=users,dc=domain,dc=com'

But i want to make some security and so i try ldaps.

This is working :

> ldapsearch -H ldaps://server -x -D 'admin.test' -w 'xxx' -b 'cn=admin.test,cn=users,dc=domain,dc=com'

And this too :

> ldapsearch -H ldaps://server:636 -x -D 'admin.test' -w 'xxx' -b 'cn=admin.test,cn=users,dc=domain,dc=com'

But this doesn't work.

ldapsearch -h server -p 636 -x -D 'admin.test' -w 'xxx' -b 'cn=admin.test,cn=users,dc=domain,dc=com' -v
ldap_initialize( ldap://srv-dc01.get.com:636 )
ldap_result: Can't contact LDAP server (-1)

I don't know what's going on. And the cloud want an URL and not an URI.
Other question, is it possible to block ldap and let ldaps working?

OS : Linux CentOS 7 with selinux Enforced
DC is on server 2008 R2.

Thank you very much.
Regards,
Alexandre

Best Answer

UPDATE:

From this page it appears that

The fully-qualified domain name is always required with the -h option. This prevents man-in-the-middle attacks.

and that:

Although using the ldaps protocol is supported, it is deprecated.

More, from man ldapsearch:

-h: Specify an alternate host on which the ldap server is running. Deprecated in favor of -H.

To allow only secure connections, have a look here, or another easy solution is an iptable rule:

iptables -A OUTPUT -p tcp --dport 389 -j DROP
iptables -A INPUT  -p tcp --destination-port 389  -j DROP

Related Solutions

Ldap – Apache+LDAP auth on Ubuntu says “Can’t contact LDAP server” while ldapsearch is perfect

You need to tell Apache to trust the LDAP server's certificate.

See this.

ldapsearch (and other ldap* binaries) are from the OpenLDAP toolkit. The reason ldapsearch works (and Apache doesn't) is that the previous sysadmin must have placed the certificate the LDAP server is using (or the CA certificate that issued the LDAP server's certificate) into the location the OpenLDAP tools look for certs - generally this is /etc/openldap/cacerts, but it is somewhat distro-dependent.

Go look in that directory.

Once you've found the right certificate, use the mod_ldap directive (see here) to point to it. Place this directive before your LDAP configuration. For example:

If it's the LDAP server's client certificate:

LDAPTrustedGlobalCert CERT_BASE64 /etc/openldap/cacerts/ldap-server.pem

If it's the certificate of the CA that signed the LDAP server's certificate:

LDAPTrustedGlobalCert CERT_CA /etc/openldap/cacerts/ldap-cacert.pem

Use the OpenSSL command line tool to inspect the certificate to determine which it is:

openssl x509 -in /path/to/cert.pem -noout -text

Ssl – LDAPS being redirected to 389

I would start by verifying the certificate as follows.

How to troubleshoot LDAP over SSL connection problems
http://support.microsoft.com/kb/938703

Step 1: Verify the Server Authentication certificate

Make sure that the Server Authentication certificate that you use meets the following requirements:

The Active Directory fully qualified domain name of the domain controller appears in one of the following locations:
- The common name (CN) in the Subject field
- The Subject Alternative Name (SAN) extension in the DNS entry
  - The enhanced key usage extension includes the Server Authentication object identifier (1.3.6.1.5.5.7.3.1).
  - The associated private key is available on the domain controller. To verify that the key is available, use the certutil -verifykeys command.
  - The certificate chain is valid on the client computer. To determine whether the certificate is valid, follow these steps:
    1. On the domain controller, use the Certificates snap-in to export the SSL certificate to a file that is named Serverssl.cer.
    2. Copy the Serverssl.cer file to the client computer.
    3. On the client computer, open a Command Prompt window.
    4. At the command prompt, type the following command to send the command output to a file that is named Output.txt:
  certutil -v -urlfetch -verify serverssl.cer > output.txt
  Open the Output.txt file, and then search for errors.

Step 2: Verify the Client Authentication certificate

In some cases, LDAPS uses a Client Authentication certificate if it is available on the client computer. If such a certificate is available, make sure that the certificate meets the following requirements:

The enhanced key usage extension includes the Client Authentication object identifier (1.3.6.1.5.5.7.3.2).
The associated private key is available on the client computer. To verify that the key is available, use the certutil -verifykeys command.
The certificate chain is valid on the domain controller. To determine whether the certificate is valid, follow these steps:
1. On the client computer, use the Certificates snap-in to export the SSL certificate to a file that is named Clientssl.cer.
2. Copy the Clientssl.cer file to the server.
3. On the server, open a Command Prompt window.
4. At the command prompt, type the following command to send the command output to a file that is named Outputclient.txt:
  
  certutil -v -urlfetch -verify serverssl.cer > outputclient.txt
  Open the Outputclient.txt file, and then search for errors.

Step 3: Check for multiple SSL certificates

Determine whether multiple SSL certificates meet the requirements that are described in step 1. Schannel (the Microsoft SSL provider) selects the first valid certificate that Schannel finds in the Local Computer store. If multiple valid certificates are available in the Local Computer store, Schannel may not select the correct certificate. A conflict with a certification authority (CA) certificate may occur if the CA is installed on a domain controller that you are trying to access through LDAPS.

Step 4: Verify the LDAPS connection on the server
Use the Ldp.exe tool on the domain controller to try to connect to the server by using port 636. If you cannot connect to the server by using port 636, see the errors that Ldp.exe generates. Also, view the Event Viewer logs to find errors. For more information about how to use Ldp.exe to connect to port 636, click the following article number to view the article in the Microsoft Knowledge Base:

321051 How to enable LDAP over SSL with a third-party certification authority
http://support.microsoft.com/kb/321051

Step 5: Enable Schannel logging
Enable Schannel event logging on the server and on the client computer. For more information about how to enable Schannel event logging, click the following article number to view the article in the Microsoft Knowledge Base:

260729 How to enable Schannel event logging in IIS
http://support.microsoft.com/kb/260729

Best Answer

Related Solutions

Ldap – Apache+LDAP auth on Ubuntu says “Can’t contact LDAP server” while ldapsearch is perfect

Ssl – LDAPS being redirected to 389

Related Topic