Solved

Securing LDAP between httpd and Microsoft 2008 R2 Active Directory

Posted on 2013-10-22
3
548 Views
Last Modified: 2013-10-22
I have a linux RHEL 6 webserver we have set up to host multiple websites for our orginization. The server is a virtual machine, and exists on a hosted cloud. We also have, as one of the virtual machines in the cloud, a replicated domain controller with active directory.  One of the websites we host is for employees only, and is secured by a LDAP connection to the active directory server we have in the cloud.

I have this working fine, but I can't figure out how to secure the LDAP connection. Right now its plain text, but I want it to be over SSL or TLS.

What I have done so far is tried exporting a certificate key from the ad server, and I also tried one of our certificates from our local certificate authority. I've placed the crt on the linux machine, and then placed a string in the httpd.conf that points to the crt. I've added an s to ldap:// so it looks like ldaps://, and i've tried it on the 686 port for ssl, and also leaving it on the 389 port. the ports are open from what I can tell using telnet and speaking with our cloud hosting provider (making sure the firewalls are not blocking anything).

SO regular LDAP works fine as it is configured, but I'm missing something about securing it. I'm not familiar with encryption and certificates, and my IT director isn't sure either...and its just the two of us.

Can someone help me figure this all out?

Here is how the httpd.conf looks like:


    AuthType Basic
    AuthName "Secure Employee Portal"
    AuthBasicProvider ldap
    AuthLDAPURL "ldap://adserver.cloudcompany.net/ou=User Accounts,dc=mydomain,dc=local?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN "CN=webserver ldap,OU=Users (Service Accounts),DC=mydomain,DC=local"
    AuthLDAPBindPassword binduserpassword
    Require valid-user

Open in new window


Let me know how I can help make this clearer as well. The real bottom line issue here is that I do not know how to set up this LDAP connection so it is secure. I think everything is there for the taking, but all the stuff i find online either doesnt work, or is not related to what I'm trying to do. If you can point me to a clear resource on how to get this going, that would be great. If your familiar with this sort of thing and can talk me through it a little at a time, I would greatly appreciate it. Thank you!
0
Comment
Question by:dchevalier
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 16

Accepted Solution

by:
gurutc earned 500 total points
ID: 39591457
This link has your answer:

http://pvradu.blogspot.com/2011/06/apache-22-ldaps-authentication-in.html

There's cert setup, httpd.conf setup, and virtual hosts setup involved.

Good Luck,

- gurutc
0
 

Author Closing Comment

by:dchevalier
ID: 39591897
I needed to modify this a little because ldap.conf isnt in my /etc directory, but instead exists in the /etc/openldap/ directory. Also, I used the cert that was generated from my domains certificate authority, under client authorization and trusted root certification. These two elements I had to figure out. My LDAP strings in the httpd.conf are a little different then what was shown in the configuration from that link, but it works none the less. Thanks gurutc for sharing that link - made my day.
0
 

Author Comment

by:dchevalier
ID: 39592184
This stopped working about an hour or so after I had proclaimed victory. I'm just updating this in case this solved conclusion was a false positive. I'll keep this updated.

EDIT 1: Start working again when I commented out these:

#LDAPSharedCacheSize 500000

#LDAPCacheEntries 128

#LDAPCacheTTL 60

#LDAPOpCacheEntries 128

#LDAPOpCacheTTL 60

#LDAPConnectionTimeout 10

Open in new window

0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question