Solved

LDAPS - Multiple DC's/CA's

Posted on 2014-04-13
3
228 Views
Last Modified: 2014-04-28
Hi guys,

I'm just starting to configure Identity Management for UNIX so that the Unix users can be controlled from the Windows 2012 AD environment.

These are new Unix servers, so there are currently no users on them that need mapping.

Anyway, I want to use LDAPS for authentication but trying to work out how the SSL cert will work.

We have 4x Domain Controllers which has had the 'Identity Management for UNIX ' component installed. Let's call them DC1, DC2, DC3 & DC4.

We have 2x CA's. CA1 is root, CA2 is subordinate.

The Server Authentication Certificate on DC1 has been issued by CA2, whereas the certificate on DC2, DC3 & DC4 have been issued by CA1.

They are all set to expire sometime in October 2014.

If I want to configure LDAPS on the Unix hosts so they can use 2-4 of the DC's for authentication, do I need to export the SSL cert from each of them? What will happen if the DC's change CA's in October when they renew? (Is that possible/probable?)
0
Comment
Question by:lltc78
  • 2
3 Comments
 
LVL 3

Accepted Solution

by:
aces4all00 earned 500 total points
ID: 39998034
Are these standalone or enterprise (AD Integrated) CAs?

Either way it doesn't really matter which CA issues the certificates as long as they're part of the same PKI domain (they share the same root CA)

The IBM Redbook "Integrating AIX into Heterogeneous LDAP Environments" should help quite a bit.  The sections dealing with MS AD start around page 217.  It's centered around AIX 5.3L but you should be able to adapt for your Unix version.  It can be downloaded at http://publib-b.boulder.ibm.com/abstracts/sg247165.html?Open
0
 

Author Comment

by:lltc78
ID: 39998395
Just a quick question.
Does this even need LDAP for authentication or does it use Kerberos for that and LDAP for searches only?
0
 
LVL 3

Expert Comment

by:aces4all00
ID: 39998431
You can configure it to work either way or to try Kerberos first then fault to ldap for auth
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question