Symantec Access Management

  • Private Community
 View Only

  • 1.  AD LDS over SSL - Cert issue

    Posted Jan 10, 2017 08:22 PM

    I am trying to connect to LDAP(AD LDS) over SSL as a user directory. I am able to bind successfully if I connect over 389 . But I get an error connecting over 636.

    My ldap search command is:

    ./ldapsearch -D "BINDDN" -w password -h ldaphost -p 636 -b "basedn" -s base "objectClass=*" -P /opt/ca/siteminder/bin/sslcerts/cert8.db

    ldap_simple_bind: Can't contact LDAP server
    SSL error -8179 (Peer's Certificate issuer is not recognized.)


    My policy server already has a cert DB which is loaded with a certificate to connect to another Actice Directory. This has been working fine for years.

    AD LDS is a new user store , we want to connect to it over SSL.

    I used the following certutil command to add AD LDS certificate to existing cert8.db.

    ./bin/certutil -A -n nameofthecert -d /opt/netegrity/siteminder/sslcerts -i /opt/netegrity/siteminder/sslcerts/adldscertificate.cer -t "C,C,C"

    WHen I do list :

    certutil -L -d /opt/ca/siteminder/bin/sslcerts/

    I get the following:

    Certificate Nickname Trust Attributes
    SSL,S/MIME,JAR/XPI

    ad-gc-issuingca-cert C,C,C
    Adlds-issuingca-cert C,,

    ADLDS issuing Cert is the certificate that we are trying to use.

    When I open the certificate on Windows , On certication Path tab, it shows " The Issuer Of this Certificate could not be found" . It seems that there are some missing pieces to my certificate itself but I cant seem to figure what it is. Appreciate any one who can throw some light on this. Thanks.



  • 2.  Re: AD LDS over SSL - Cert issue

    Posted Jan 10, 2017 10:08 PM

    Please check the documentation and see if you have followed exact steps.

     

    How to Configure an LDAP User Directory Connection over SSL 

     

    Try using openssl to check which certificate is used by your AD LDS

    openssl s_client -connect hostname:636 -tls1

     

    It will display the server certificate and its issuerDN.

    Save the certificate to a file and double click on it to check the "Certification Path" and see if you find the ROOTCA or the chain.

     

    Check if the issuer(CA) certificate matches the one in the certdb.

     

    certutil -d /opt/ca/siteminder/bin/sslcerts -L -n ad-gc-issuingca-cert -a  -o ad-gc-issuingca-cert.cer

    certutil -d /opt/ca/siteminder/bin/sslcerts -L -n Adlds-issuingca-cert -a  -o Adlds-issuingca-cert.cer

     

    Compare them to the one you got from openssl command.

     

    Also, I find that you imported the server certificate using "C,C,C" while the documentation suggests "P,,"



  • 3.  Re: AD LDS over SSL - Cert issue
    Best Answer

    Posted Jan 11, 2017 05:01 PM

    Hi Anil,

     

    I think you will need to address this first :

     

    When I open the certificate on Windows , On certification Path tab, it shows " The Issuer Of this Certificate could not be found" . This means this is NOT the Root CA Cert. For Root CA certs, the "Issued To' and "Issuer" should match.

     

    You can try exporting the existing certificate from cert database to see what they exactly are, as the alias name could be misleading :

     

    ./certutil -L -d <PATH_TO_CERTDB> -a -n <CERT_ALIAS>

    e.g

     

    ./certutil -L -d /opt/CA/certdb -a -n ad-gc-issuingca-cert

     

    You need to import , Root CA , Intermediate CA and Server Certs (yes, as per doco this is needed as well).

     

    Regards,

    Ujwol



  • 4.  Re: AD LDS over SSL - Cert issue

    Posted Jan 16, 2017 08:16 PM

    Hi Anil,

     

    How are you going on this one ? Were you able to make any progress ?

     

    Regards,

    Ujwol