Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

LDAPS - Multiple DC's/CA's

Posted on 2014-04-13
3
Medium Priority
?
236 Views
Last Modified: 2014-04-28
Hi guys,

I'm just starting to configure Identity Management for UNIX so that the Unix users can be controlled from the Windows 2012 AD environment.

These are new Unix servers, so there are currently no users on them that need mapping.

Anyway, I want to use LDAPS for authentication but trying to work out how the SSL cert will work.

We have 4x Domain Controllers which has had the 'Identity Management for UNIX ' component installed. Let's call them DC1, DC2, DC3 & DC4.

We have 2x CA's. CA1 is root, CA2 is subordinate.

The Server Authentication Certificate on DC1 has been issued by CA2, whereas the certificate on DC2, DC3 & DC4 have been issued by CA1.

They are all set to expire sometime in October 2014.

If I want to configure LDAPS on the Unix hosts so they can use 2-4 of the DC's for authentication, do I need to export the SSL cert from each of them? What will happen if the DC's change CA's in October when they renew? (Is that possible/probable?)
0
Comment
Question by:lltc78
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 3

Accepted Solution

by:
aces4all00 earned 2000 total points
ID: 39998034
Are these standalone or enterprise (AD Integrated) CAs?

Either way it doesn't really matter which CA issues the certificates as long as they're part of the same PKI domain (they share the same root CA)

The IBM Redbook "Integrating AIX into Heterogeneous LDAP Environments" should help quite a bit.  The sections dealing with MS AD start around page 217.  It's centered around AIX 5.3L but you should be able to adapt for your Unix version.  It can be downloaded at http://publib-b.boulder.ibm.com/abstracts/sg247165.html?Open
0
 

Author Comment

by:lltc78
ID: 39998395
Just a quick question.
Does this even need LDAP for authentication or does it use Kerberos for that and LDAP for searches only?
0
 
LVL 3

Expert Comment

by:aces4all00
ID: 39998431
You can configure it to work either way or to try Kerberos first then fault to ldap for auth
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question