Hello everyody.
I recently configured a Windows Server 2003 R2 with Active Directory, installed the Certificate service and create both a local root CA and a certificate for the server itself.
After exporting the root CA certificate, on OpenSuSE 11 the following command seems to work fine (just to test the TLS/SSL connection is fine):
openssl s_client -connect ip_server:636 -CAfile adroot.cer
This command completes with the following:
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: D80D000023E7107F29616FECFF4B5350B859D93D24F6D426BF201E618AEBCBDF
Session-ID-ctx:
Master-Key: 19A14767C533E5730CAE5A37D461AF140EF279F4167C708D3CE57F6F8118D966928CA3442EBC09EC36F87DE336B563A9
Key-Arg : None
Start Time: 1229003030
Timeout : 300 (sec)
Verify return code: 0 (ok)
Now I’d like to perform ldapsearch over the TLS/SSL connection but I can’t figure out the syntax to use.
A simple query (-x) does work:
ldapsearch -x -D “cn=Administrator,cn=Users,dc=zen,dc=strhold,dc=it”
-w password -h <host> -b “cn=Users,dc=zen,dc=strhold,dc=it”
‘sAMAccountName=myname’
How can I enable a ldapsearch over TLS/SSL?
I tried by configuring /etc/openssl/ldap.conf as follows:
URI ldaps://192.168.68.1
BASE "cn=Users,dc=zen,dc=strhold,dc=it
TLS_REQCERT allow
TLS_CACERT /tmp/adir/adroot_b64.cer
Also, I modified the ldapsearch to read:
ldapsearch -d 1 -H ldaps://<host>
-D “cn=Administrator,cn=Users,dc=zen,dc=strhold,dc=it”
-b “cn=Users,dc=zen,dc=strhold,dc=it”
-Z ‘sAMAccountName=myname’
but I got (last lines):
ldap_sasl_interactive_bind_s: server supports: GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5
ldap_int_sasl_bind: GSSAPI GSS-SPNEGO EXTERNAL DIGEST-MD5
ldap_int_sasl_open: host=win2003r2.zen.strhold.it
SASL/EXTERNAL authentication started
ldap_err2string
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
Again, I added the “-Y DIGEST-MD5”, got prompted for a password and got:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
OK, TLS/SSL is not my cup of tea but I’d like to know if there’s a method I can query AD over LDAP+TLS/SSL with.
Thanks,
Rob