Solved

LDAPS - Multiple DC's/CA's

Posted on 2014-04-13
3
235 Views
Last Modified: 2014-04-28
Hi guys,

I'm just starting to configure Identity Management for UNIX so that the Unix users can be controlled from the Windows 2012 AD environment.

These are new Unix servers, so there are currently no users on them that need mapping.

Anyway, I want to use LDAPS for authentication but trying to work out how the SSL cert will work.

We have 4x Domain Controllers which has had the 'Identity Management for UNIX ' component installed. Let's call them DC1, DC2, DC3 & DC4.

We have 2x CA's. CA1 is root, CA2 is subordinate.

The Server Authentication Certificate on DC1 has been issued by CA2, whereas the certificate on DC2, DC3 & DC4 have been issued by CA1.

They are all set to expire sometime in October 2014.

If I want to configure LDAPS on the Unix hosts so they can use 2-4 of the DC's for authentication, do I need to export the SSL cert from each of them? What will happen if the DC's change CA's in October when they renew? (Is that possible/probable?)
0
Comment
Question by:lltc78
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 3

Accepted Solution

by:
aces4all00 earned 500 total points
ID: 39998034
Are these standalone or enterprise (AD Integrated) CAs?

Either way it doesn't really matter which CA issues the certificates as long as they're part of the same PKI domain (they share the same root CA)

The IBM Redbook "Integrating AIX into Heterogeneous LDAP Environments" should help quite a bit.  The sections dealing with MS AD start around page 217.  It's centered around AIX 5.3L but you should be able to adapt for your Unix version.  It can be downloaded at http://publib-b.boulder.ibm.com/abstracts/sg247165.html?Open
0
 

Author Comment

by:lltc78
ID: 39998395
Just a quick question.
Does this even need LDAP for authentication or does it use Kerberos for that and LDAP for searches only?
0
 
LVL 3

Expert Comment

by:aces4all00
ID: 39998431
You can configure it to work either way or to try Kerberos first then fault to ldap for auth
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question