Binding to AD using LDAP over SSL

[Guest]

Hi, I'm hoping some of you experts can help me figure out what I'm missing
here...

I've read through the following KB articles and followed the suggested
methods for enabling LDAP over SSL: KB247078 and KB321051. I've got an
Enterprise CA installed on a Windows 2000 member server in my domain and it
appears the domain controllers have valid certificates from this CA (verified
in the Certificates snap-in). When I use LDP.exe to bind to port 636 on the
servers I am able to establish a connection and see the naming contexts for
the domain. So it appears that LDAP over SSL *is* enabled.

However when I try to connect to the domain controllers with a third party
tool (like Softerra LDAP Browser) using port 636 I keep getting "Error 81:
Can't contact LDAP server". I can connect to the standard LDAP port (389)
without any problems but 636 won't allow a connection. I've tried binding
with my user DN and as anonymous with no effect. I've also tried a standard
ldapbind command on a UNIX host using the same credentials without any luck.
I've requested and installed a user certificate on my client computer from
the Enterprise CA but this didn't help either. Running netstat on the DCs
shows that it is listening for requests using LDAPS.

Is there anything else I can try? Have I missed something somewhere?
Thanks for any help.

 

[Jason]

My experience :
1) to enable SLDAP on a DC ,, you need to install a Computer certificate ,
not a user certificate.
2) once the certificate is installed, using LDP.exe , you can bind to port
636, which is fine. And that mean at least the DC is listening on "port 636"
3) You can further validate that port 636 or secure LDAP has been enabled by
using outlook express and connect via port 636 to query you AD objects.
There's a MS article on how to do this - can't remember exactly the article
no.
4) Softerra LDAP browser requires you to install a certificate using
netscape and without that , you will not be to browse ( query ) using the
SSL over port 636. ( see the Help from the softterra browser )
5) From Unix , if you bind an SLDAP , it should work- but make sure your
unix machine trust the Root of your certificate issuing CA.

Hope this would help.

Jason

 

[Ryan Hanisco]

Jason,

I thought that when you brought up an Enterprise Root CA in the directory
your domain controllers were issued computer level certificates
automatically as the DC certificates. Or am I just crazy?

 

[Guest]

Yes, the DCs have computer certificates that were automatically issued when I
installed the Enterprise CA. Otherwise, I suppose SLDAP wouldn't be enabled
on port 636 and LDP.exe wouldn't have been able to bind to the DCs. Anyway,
this information leads me to believe that the problem I have is with the
Softerra setup and not the servers. I don't think the UNIX host I used had a
trust established with the Root CA. I'll give that a try and see if it
works. Thanks for the help.

Dave

 

[Ryan Hanisco]

David,

In that case, you have two options. You can either install the certificate
chain from the CA to the UNIX terminal, or you can do a cross trust with the
CA that the UNIX stations subscribe to. The former is easier, but the
latter works in situations where you already have an established PKI and
want to manage that centrally.