Solved

LDAPS - Multiple DC's/CA's

Posted on 2014-04-13
3
222 Views
Last Modified: 2014-04-28
Hi guys,

I'm just starting to configure Identity Management for UNIX so that the Unix users can be controlled from the Windows 2012 AD environment.

These are new Unix servers, so there are currently no users on them that need mapping.

Anyway, I want to use LDAPS for authentication but trying to work out how the SSL cert will work.

We have 4x Domain Controllers which has had the 'Identity Management for UNIX ' component installed. Let's call them DC1, DC2, DC3 & DC4.

We have 2x CA's. CA1 is root, CA2 is subordinate.

The Server Authentication Certificate on DC1 has been issued by CA2, whereas the certificate on DC2, DC3 & DC4 have been issued by CA1.

They are all set to expire sometime in October 2014.

If I want to configure LDAPS on the Unix hosts so they can use 2-4 of the DC's for authentication, do I need to export the SSL cert from each of them? What will happen if the DC's change CA's in October when they renew? (Is that possible/probable?)
0
Comment
Question by:lltc78
  • 2
3 Comments
 
LVL 3

Accepted Solution

by:
aces4all00 earned 500 total points
ID: 39998034
Are these standalone or enterprise (AD Integrated) CAs?

Either way it doesn't really matter which CA issues the certificates as long as they're part of the same PKI domain (they share the same root CA)

The IBM Redbook "Integrating AIX into Heterogeneous LDAP Environments" should help quite a bit.  The sections dealing with MS AD start around page 217.  It's centered around AIX 5.3L but you should be able to adapt for your Unix version.  It can be downloaded at http://publib-b.boulder.ibm.com/abstracts/sg247165.html?Open
0
 

Author Comment

by:lltc78
ID: 39998395
Just a quick question.
Does this even need LDAP for authentication or does it use Kerberos for that and LDAP for searches only?
0
 
LVL 3

Expert Comment

by:aces4all00
ID: 39998431
You can configure it to work either way or to try Kerberos first then fault to ldap for auth
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now