Foire Aux Questions Delixir.com

By default, Windows Active Directory servers are unsecured. All LDAP messages are unencrypted and sent in clear text. This restricts what developers can and can't do via LDAP. For example, password modification operations must be performed over a secure channel, such as SSL, TLS or Kerberos.

To enable LDAP over SSL (LDAPS) all you need to do is "install" an SSL certificate on the Active Directory server. Most enterprises will opt to purchase an SSL certificate from a 3rd Party like Verisign. In my case, I created my own certificate using OpenSSL. Here are the steps I used to secure my Active Directory server using a self signed certificate.

Pre-Requisites

OK< before we begin, here are a couple things you need. First of all you will need administrative access to the Active Directory server (i.e. Domain Controller). You obviously need the domain name and the fully qualified name (FQDN) of the Active Directory server. In this tutorial we use the following:

• Domain Name: acme.com
• Domain Controller: dc1.acme.com

Finally, in order to create a Certificate Authority (CA) and sign certificates you need a tool like OpenSSL. This tutorial assumes you are using OpenSSL.

Step 1: Create a Certificate Authority (CA)

If you are creating your own certificate, you need to first create a Certificate Authority (CA). Fortunately, tools like OpenSSL makes this easy.

Creating a CA certificate with OpenSSL is a 2 step process. First, you must create a keystore which is used to store your password.

Next, you will generate a CA certificate. In this example, we will create a CA Certificate that is valid for 10 years:

When generating the CA certificate, OpenSSL will prompt you for several key pieces of information. Note that the "Common Name" is our domain name:

Step 2: Install the Certificate Authority (CA)

To install the certificate authority (CA) on the domain controller, open the "Certificates snap-in":

•  
  1. Start->Run...-> Type "mmc". This will open the "Add/Remove Snap-in" dialog.
  2. Click "Add..." to open the "Add Standalone Snap-in" dialog.
  3. In the "Add Standalone Snap-in" dialog, select "Certificates" and press "Next".
  4. Select "Computer account" and press "Next".
  5. Select "Local computer" and press "Finish"
  6. Click "Close" to close the "Add Standalone Snap-in" dialog.
  7. Click "OK" to close the "Add/Remove Snap-in" dialog.

Once the "Certificates snap-in" is open, expand the "Certificates" node under "Trusted Root Certification Authorities". Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the Certificate Authority ("ca.crt") we created in Step 1.

Step 3: Create a Certificate Signing Request (CSR)

Next, we have to create a Certificate Signing Request (CSR). There are a number of different tools out there, including OpenSSL that you can use. However, the preferred approach is to use Microsoft's certreq utility.

The certreq utility is a command line application that takes a *.inf file and generates a CSR. Here's an example of an inf file that I used. Pay close attention to the "Subject" line. It should contain the FQDN of the Active Directory server.

Once you have a inf file, generate a Certificate Signing Request (CSR) using certreq. In this example, "acme.csr" is the CSR.

Step 4: Sign the Certificate

After generating the Certificate Signing Request (CSR), you are ready to create a certificate. If you are purchasing an SSL certificate, send the CSR to your vendor (e.g. Verisign) and they will generate and sign the certificate for you. If you have already purchased an SSL certificate, you can skip this step.

To sign your own certificate using OpenSSL, simply enter the following:

Step 5: Accept the Certificate

After you get your signed certificate, you will need to "Accept" it using the certreq utility:

Step 6: Install the Certificate

In Step 2, we opened the "Certificates snap-in". Assuming it is still open, expand the "Certificates" node under "Personal". Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the "acme.crt".

Step 7: Restart Active Directory

After installing the certificate, you must restart the domain controller. You can use Microsoft's Ldp GUI tool to test the LDAPS connection. The default port is 389 and the SSL port is 636.

Source : http://www.javaxt.com/Tutorials/Windows/How_to_Enable_LDAPS_in_Active_Directory