So after a few hours getting Linux authenticating happily from Active Directory, I turned my attention to getting it all working with encryption.
Initially I had tried a telnet to port 636 (the LDAPS port) which failed, so it didnt look like my AD box was talking LDAPS. Somewhere to start I guess!
Enabling LDAPS in AD
I followed this article to the letter, which lead me on a slightly convoluted path because I ended up making another 2003R2 server to act as a Certificate Server, before finally getting it all working. I called upon the excellent ldap.exe again which is handy to prove its all working using SSL.
LDAP command line tools
Before poking around with actually making authentication work, I wanted to make the useful command line tools, like ldapsearch work with an encrypted connection. This turned out to be remarkably simple. You just have to change ldap:// to ldaps:// and if you are working with self-signed certificates (as I am) you need to add TLS_REQCERT never to /etc/openldap.conf, meaning my file now looked like this:
With that done, running the following command ought to return the same set of data as it did before you enabled encryption, but this time if you use Wireshark or something similar you should see no unencrypted LDAP traffic.
ldapsearch -x -LLL -E pr=200/noprompt -D "email@example.com" -w $PASSWORD -s sub "(cn=*)" cn mail sn
Lastly you’ll actually want to configure the
/etc/ldap.conf file which the nss_ldap packages use, this is also very simple. First, you have a choice to make, do you want pre LDAPv3 style SSL with LDAP over the top or to you want to use LDAPv3 only TLS. The library supports both, and they both work fine against Windows 2003R2 AD. The
ssl off entry in the config file needs to be changed to one of:
ssl on– Use pre LDAPv3 SSL
ssl start_tls– Use LDAPv3 and greater TLS
As I said, either work with AD, so which you choose is up to you, or any local security polcies
With that changed, I also needed to add in a second line, to disable rootCA certificate checking, because of my self-signed cert. With that change made as well, my final
/etc/ldap.conf file looked like:
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
With this file changed, all your authentication traffic should now be running over an encrypted link. With a network sniffer, you can clearly see the differences between having
ssl on and
ssl start_tls set in the config file.
Hope that helps somebody, its the second time I’ve done this and last time I didnt write it down, hopefully next time I wont spend so long going over old ground!