• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 93
  • Last Modified:

LDAP over SSL implementation

Transitioning from 2003 domain controllers to 2012.  The previous admin installed CA on the 2003 DC (we are assuming) to enable ldap over ssl but it isn't functioning correctly.  I can connect using ldp.exe over ssl when I'm local on the old 2003 server, but when testing from clients it doesn't work.  The error is below:

ld = ldap_sslinit("server.domain.local", 636, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to server.domain.local.

What would be the best option to get ldap ssl working on server 2012?  The new 2012 server is in place and all the roles have been transferred.  The only thing we would be currently using it for would be AD integration for our firewall, but that may change in the future.  Should we migrate the CA from 2003 to 2012 and try to get that working or get rid of the 2003 CA and import a certificate from a third party?
0
jasp101
Asked:
jasp101
  • 3
  • 2
3 Solutions
 
Chris DentPowerShell DeveloperCommented:
Do you use the CA for anything else? Do you wish to maintain an internal CA?

If it's not used for anything else, and you don't want to maintain a CA, and no one objects to the cost of a third party certificate you can, of course, use one.

The requirements for third party certificates are here:

http://support.microsoft.com/en-us/kb/291010

Personally I used a 2012 CA and the KDC authentication template, but to use that you must maintain a CA (and all its associated components).

Chris
0
 
compdigit44Commented:
Is the cert issued to the server for the LDAP server still valid? Is the certificate chain for the certificate valid?
0
 
jasp101Author Commented:
We don't have a need for an internal CA.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
jasp101Author Commented:
Domain is an internal name...asked digicert about it and they are going to stop supporting internal domains at the end of this year.  So I will have to either use an internal CA or rename the domain.
0
 
jasp101Author Commented:
Another update.  Certificate from old 2003 CA was expired.  After renewing and waiting for everything to update, I can connect via ldp.exe over ssl.  I guess my next step is to migrate the CA to the new 2012 DC.
0
 
Chris DentPowerShell DeveloperCommented:
You might consider decommissioning the old CA and bringing a new one online if all it does is issue certificates for the DCs. If nothing else is issued you don't need to consider retaining CRLs, or the root key, or anything at all really.

Chris
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now