OpenLDAP 2.4 and Server 2008 SP2 and R2

Question: We have a couple webservers that use OpenLDAP 2.4.19 to query AD and to reset specific domain account passwords (remote vendors and reps).  I recently upgraded our last 2003 DC to 2k8 R2 and this LDAP querying broke.

I've got a guy in that location whose still testing/poking around in there.  But can anyone tell me if there might have been changes in 08 that could've caused this that werent present in 03?

OpenLDAP complains specifically about "Unable to start TLS: Connect Error"

Spelunking on my own earlier I thought that maybe I should install the LDP role, which I did. I also installed a CA and made sure all the DC's have DC certs, which they do now.
LVL 14
Ben HartAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ben HartAuthor Commented:
Extra comment here.. I've been googling for hours now trying to find instructions on requesting an SSL certificate from the CA for this particular domain controller that is specified in the OpenLDAP config.  I'm have little to no luck.  I found a MSFT KB with a cut-paste of the request.inf file.. however trying to certreq it kicks back complaining about a lack of a cert template.  Tries adding CertificateTemplate = Web Server to the bottom of the inf and it bombs out saying it cant find that template even though the actual template does exist.

Does your Active Directory domain environment contain a certificate server?
I believe you would need a template that includes one for a domain controller as it seems you need to have ldaps ( port 636 -ldap over ssl  ) to function.  

Once a DC has a certificate in the computer certificate container that can handle domain controller then after a reboot ( or restart of ldap/ad services ) it should start using the certificate and answer on 636.  ( exchange 2007/2010 has self-signed certs by default , I do not believe Windows 2008 has uses or has any self-signed certs by default)

soft terra LDAP Browser -  is a great ldap browser that can test a SSL connection.
I would test a connection to port 389 - unsecured ldap - see if that works
then test a secure connection - if that doesn't work get a cert and make sure firewall is open.

Hope this helps.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ben HartAuthor Commented:
Wow I suck.. I apologize, i had forgotten all about this question. Got sidetracked onto a Fortigate project..ugh.  Thank you for your response.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.