[ZendTo] MS LDAPs
Glenn Noel
glenn.noel at gmail.com
Fri Feb 28 19:07:48 GMT 2020
[Fixed] Hello fellow Zendto users. I wanted to follow up on this recent
thread and to thank Scott once again. His instructions are sound. When I
first attempted the command that Scott provided:
*openssl s_client -connect your-AD-server-here.example.com:636
<http://your-AD-server-here.example.com:636>*
I received a cert in the output, but it was not the correct certificate for
my network so I was still unable to connect via LDAPS.
I worked with Microsoft Support and even they had a difficult time
determining which of my certs was actually performing the client
authentication. To resolve, MS support assisted me by:
- Created a duplicate Kerberos Authentication Template and import it into
the Personal Certificate store. We named the template "ldapoverssl" for
easy identification (This was done because we didn't know which other cert
to export and none were marked "exportable")
- On a client computer ran the following command to create a trace-file:
netsh trace start capture=yes scenario=netconnection tracefile=c:\SSLtraffic
- On the client computer ran ldp.exe and went through the steps to test an
LDAPS bind over 636, then stopped the trace.
- Used Microsoft Network Monitor 3.4 to view the trace-file. Using this
trace-file we were able to track down the handshake between my client and
the LDAP server. We could then find the Serial number of the certificate
used for LDAPS.
This confirmed that the new ldapoverssl template/certificate was the one
being used for LDAPS connections.
- I then re-ran the command that Scott provided: openssl s_client -connect
your-AD-server-here.example.com:636 and found that the output was different
than what I had before.
- Imported the new cert output into /etc/ssl/certs/ca-certificates.crt,
tweaked preferences.php to the LDAPS settings and restarted Apache..SUCCESS!
I am still very much a novice with Linux, Apache, Zend and apparently
Microsoft Certificates so I hope my notes make a little bit of sense.
Thank you everyone for your assistance with this. I learned a lot.
Glenn
On Fri, Feb 14, 2020 at 2:55 PM Glenn Noel via ZendTo <zendto at zend.to>
wrote:
> Thank you Scott,
>
> I was able to complete your instructions but mine is still a no-go. I
> have verified that my Zend server is trying to connect over port 636, but
> I'm still getting errors. I will continue plugging away at this on
> Monday.
>
> I'm glad you were able to get yours up and running.
>
> Have a good weekend.
>
> Glenn
>
> On Fri, Feb 14, 2020 at 12:23 PM Scott Silva via ZendTo <zendto at zend.to>
> wrote:
>
>> OK… I think I figured this out…
>>
>> Run openssl s_client -connect your-AD-server-here.example.com:636
>> (fixed to your AD server)
>>
>> In the results you will see a full key in base 64
>>
>> Copy all from the ----BEGIN Certificate --- to the ---END CERTIFICATE---
>> including those lines and paste to the end of whichever cert your
>> TLS_CACERT points to
>>
>> Don't overwrite, paste to the end and save.
>> Now try and see if it authenticates...
>>
>> Works in mine
>>
>>
>>
>>
>>
>> From: ZendTo <zendto-bounces at zend.to> On Behalf Of Glenn Noel via ZendTo
>> Sent: Thursday, February 13, 2020 2:24 PM
>> To: ZendTo Users <zendto at zend.to>
>> Cc: Glenn Noel <glenn.noel at gmail.com>
>> Subject: Re: [ZendTo] MS LDAPs
>>
>> Hi All, I'm still struggling with LDAPS. In Jules' previous email there
>> is a mention of:
>>
>> "If you are using some sort of a self-signed or locally-signed
>> certificate on your AD server(s), then you will need to add your local root
>> CA public cert to the TLS_CACERT file, or else the ZendTo server won't be
>> able to verify the cert it gets from the AD server. But if you are using a
>> "normal" externally-signed commercial cert, it should work fine."
>>
>> I am in this situation of using a cert created by my internal Domain CA.
>> The steps I have taken:
>> 1.) Exported the public key/cert for Client Authentication, Server
>> Authentication from my Windows Domain Controller in DER encoded binary
>> X.509(.CER) format
>> 2.) copied this .CER to /etc/ssl/certs
>> 3.) in /etc/ldap/ldap.conf I added:
>> TLS_CACERT /etc/ssl/certs/my-exported-ldaps-cert.cer
>> This line sits under the original line of TLS_CACERT
>> /etc/ssl/certs/ca-certificates.crt
>>
>> It was a shot in the dark and I successfully predicted that it would not
>> work. However I am stuck. If anyone has a good step-by-step to help me
>> out I would appreciate it immensely.
>>
>> If the recommended method is to purchase a 3rd party cert please let me
>> know - I will try that next (although I might need some assistance with
>> that process too).
>>
>> Thank you,
>>
>> Glenn
>>
>>
>> On Wed, Feb 12, 2020 at 10:24 AM Jules Field via ZendTo <mailto:
>> zendto at zend.to> wrote:
>> Scott,
>>
>> I have just done a CentOS 7 install of the latest ZendTo beta from
>> scratch, including using SELinux.
>>
>> I set the preferences.php settings to
>>
>> authLDAPServers1 => array('ldaps://our-AD-server.soton.ac.uk'),
>> authLDAPBaseDN1 => 'DC=soton,DC=ac,DC=uk',
>> authLDAPAccountSuffix1 => '@http://soton.ac.uk',
>> authLDAPUseSSL1 => false,
>> authLDAPUseTLS1 => false,
>>
>> and it just worked immediately. I didn't have to install any other
>> packages at all.
>>
>> Our AD servers are listening on 636/tcp (the TCP port for ldaps according
>> to /etc/services).
>>
>> I have already tested the same thing on Ubuntu 18.04 and it worked first
>> time there too.
>>
>> If you are using some sort of a self-signed or locally-signed certificate
>> on your AD server(s), then you will need to add your local root CA public
>> cert to the TLS_CACERT file, or else the ZendTo server won't be able to
>> verify the cert it gets from the AD server. But if you are using a "normal"
>> externally-signed commercial cert, it should work fine.
>>
>> On 10/02/2020 18:39, Scott Silva via ZendTo wrote:
>> In my case I know the ports are open because I have a Linux based spam
>> filter that is able to auth secured.
>>
>>
>> -----Original Message-----
>> From: ZendTo mailto:zendto-bounces at zend.to On Behalf Of Guy Bertrand via
>> ZendTo
>> Sent: Monday, February 10, 2020 10:37 AM
>> To: mailto:zendto at zend.to
>> Cc: Guy Bertrand mailto:Guy.Bertrand at exelaonline.com
>> Subject: [ZendTo] MS LDAPs
>>
>> Reminder: LDAPS would normally use port 636 instead of ldap/389 to talk
>> to the domain controller. Don't forget to check things between your ZendTo
>> server and the domain controller:
>> - the outgoing firewall config on the ZendTo server
>> - the firewall on the DC (is port 636 open?)
>> - routing
>> - any intermediate firewall rules
>>
>> Quick test: open a command prompt (CMD on Windows, any shell on *nix).
>> This will try to "telnet" to that port.
>> C:\> telnet "ip of your DC" 636
>> If a blank screen appears then the port is open, and the test is
>> successful.
>> If you receive a connecting... message or an error message then something
>> is blocking that port.
>>
>> Guy Bertrand, M.Ing
>> Directeur informatique / IT Manager
>> EXELA TECHNOLOGIES
>> b: +1.514.392.4999 | m: +1.514.265.9754
>> 1155, boulevard Robert-Bourassa, suite 500 | Montréal (Québec) CANADA H3B
>> 3A7 http://www.ExelaTech.com | EXELA LinkedIn
>>
>>
>> ________________________________
>> Attention : le présent message et toutes les pièces jointes sont
>> confidentiels et établis à l'attention exclusive du ou des destinataire(s)
>> indiqué(s). Toute autre diffusion ou utilisation non autorisée est
>> interdite. Si vous recevez ce message par erreur, veuillez immédiatement en
>> avertir l'expéditeur par e-mail en retour, détruire le message et vous
>> abstenir de toute référence aux informations qui y figurent afin d'éviter
>> les sanctions attachées à la divulgation et à l'utilisation d'informations
>> confidentielles. Les messages électroniques sont susceptibles d'altération.
>> Exela Technologies et ses filiales déclinent toute responsabilité en cas
>> d'altération ou de falsification du présent message.
>> ________________________________
>> Please consider the environment before printing or forwarding this email.
>> If you do print this email, please recycle the paper.
>>
>> This email message may contain confidential, proprietary and/or
>> privileged information. It is intended only for the use of the intended
>> recipient(s). If you have received it in error, please immediately advise
>> the sender by reply email and then delete this email message. Any
>> disclosure, copying, distribution or use of the information contained in
>> this email message to or by anyone other than the intended recipient is
>> strictly prohibited. Any views expressed in this message are those of the
>> individual sender, except where the sender specifically states them to be
>> the views of Exela Technologies, Inc. or its subsidiaries.
>>
>> This email does not constitute an agreement to conduct transactions by
>> electronic means and does not create any legally binding contract or
>> enforceable obligation against Exela in the absence of a fully signed
>> written agreement.
>>
>> _______________________________________________
>> ZendTo mailing list
>> mailto:ZendTo at zend.to
>> http://jul.es/mailman/listinfo/zendto
>>
>> _______________________________________________
>> ZendTo mailing list
>> mailto:ZendTo at zend.to
>> http://jul.es/mailman/listinfo/zendto
>>
>>
>> Jules
>>
>> --
>> Julian Field MEng CEng CITP MBCS MIEEE MACM
>>
>> 'A good programmer is someone who always looks both ways
>> before crossing a one-way street.' - Doug Linder
>>
>> http://www.Zend.To
>> Twitter: @JulesFM
>> _______________________________________________
>> ZendTo mailing list
>> mailto:ZendTo at zend.to
>> http://jul.es/mailman/listinfo/zendto
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to
>> http://jul.es/mailman/listinfo/zendto
>>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200228/212aae81/attachment.html>
More information about the ZendTo
mailing list