stonneway
asked on
LDAP over SSL and Windows 2008
Hi Chaps,
I'm trying to set up LDAP over SSL on a Windows 2008 AD server so that we can secure use LDAP to authenticate with our web servers.
However all the instructions that I have found refer to using your own CA on another server. I want to use a 3rd party SSL cert.
Does anyone know where I can get instructions? Specifically I need to know how to create the SSL request and then import the certificate. The Certificate Enrollment wizard just reports "Certificate types are not available" so I'm guessing that I shouldn't be using that.
Olly
I'm trying to set up LDAP over SSL on a Windows 2008 AD server so that we can secure use LDAP to authenticate with our web servers.
However all the instructions that I have found refer to using your own CA on another server. I want to use a 3rd party SSL cert.
Does anyone know where I can get instructions? Specifically I need to know how to create the SSL request and then import the certificate. The Certificate Enrollment wizard just reports "Certificate types are not available" so I'm guessing that I shouldn't be using that.
Olly
ASKER
Thanks. I've just been told that LDAPs wont work externally as the SSL cert *HAS* to be in the name of the local FQDN (that is server.mydomain.local). What we then need is something like MS TMG to do SSL redirection and sit on the edge of our internal network.
Can anyone confirm this?
Olly
Can anyone confirm this?
Olly
You have to use the DC's FQDN, so LDAPS traffic will only work inside your domain.
A TMG or ISA server that is a domain member in a DMZ (just infront of the web servers) would probably make life easier.
A TMG or ISA server that is a domain member in a DMZ (just infront of the web servers) would probably make life easier.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Technically the name should match - for anything else that uses certs that is the case. However, for LDAPS I have seen very few clients that actually pay attention to the name - usually they just need to trust the root cert that issued the server cert, about 50/50 for CRL checking. You can get a commercial cert (can probably use a free trusted cert from startcom.org, else try godaddy) for your commercial .com, etc., namespace for a dummy servername (e.g. ldaps.yourdomain.com) and that should do the trick.
few mail servers seem to care either (I note with approval recent versions of exchange DO care, but only if told to)
I guess it depends on the target usage - if the contacting server doesn't care, save yourself the cash and trouble and just generate your own self-signed SAN cert using http://sourceforge.net/projects/xca
if it DOES care, either use a SAN certificate or front using TMG/ISA
I guess it depends on the target usage - if the contacting server doesn't care, save yourself the cash and trouble and just generate your own self-signed SAN cert using http://sourceforge.net/projects/xca
if it DOES care, either use a SAN certificate or front using TMG/ISA
http://technet.microsoft.com/en-us/library/cc725793(WS.10).aspx
How to use a 3.party certificate:
http://support.microsoft.com/kb/321051