Hello there!

Need Help? We are right here!

miniOrange Email Support
success

Thanks for your Enquiry.

If you don't hear from us within 24 hours, please feel free to send a follow-up email to info@xecurify.com

Search Results:

×

Step by step guide to setup LDAPS on Windows Server


Connect with LDAPS using miniOrange guidelines to setup LDAP over SSL and establish a secure connection with LDAP Server. Secure your LDAP server connection between client and server application to encrypt the communication. In case of simple bind connection using SSL/TLS is recommended to secure the authentication as simple bind exposes the user credentials in clear text.

1. Install Certificate Authority, Create and Export the certificate

1.1: Install "Active Directory Certificate Services" role through Server Manager roles.

  • On your Windows Server Machine, click on Start -> Server Manager -> Add Roles and Features.
  • LDAPS on Windows Server server manager

  • After selecting Add Roles and Features and Click on Next.
  • LDAPS on Windows Server setup add roles and features

  • Choose Role-based or feature-based installation option and Click on Next button.
  • LDAPS on Windows Server role or feature based installation

  • Choose Select a server from the server pool option & Select ldap server from the server pool and click on Next button.
  • LDAPS on Windows Server select ldap server

  • Choose Active Directory Certificate Services option from the list of roles and click on Next button.
  • LDAPS on Windows Server select roles

  • Choose nothing from the list of features and click on Next button.
  • LDAPS on Windows Server select feature

  • In Active Directory Certificate Services (AD CS) choose nothing and Click on Next button.
  • LDAPS on Windows Server active directory certificate services

  • Mark Certification Authority from the list of roles and Click on Next button.
  • LDAPS on Windows Server setup role services

  • Click on Install button to confirm installation.
  • LDAPS on Windows Server confirm server installation

  • Now, click on Configure Active Directory Certificate Services on Destination Server option and click on Close button.
  • LDAPS on Windows Server configure active directory

  • We can use the currently logged on user to configure role services since it belongs to the local Administrators group. Click on Next button.
  • LDAPS on Windows Server AD CS Configuration wizard

  • Mark Certification Authority from the list of roles and Click on Next button.
  • LDAPS on Windows Server certification authority

  • Choose Enterprise CA option and Click on Next.
  • LDAPS on Windows Server select enterprise ca

  • Choose Root CA option and Click on Next button.
  • LDAPS on Windows Server select root ca

  • Choose Create a new private key option and Click on Next button.
  • LDAPS on Windows Server create private key

  • Choose SHA256 as the hash algorithm and Click on Next.
    UPDATE : Recommended to select the most recent hashing algorithm.
  • LDAPS on Windows Server cryptograpghy algorithm

  • Click on Next button.
  • LDAPS on Windows Server CA name

  • Specify the validity of the certificate choosing Default 5 years and Click on Next button.
  • LDAPS on Windows Server enter certificate validity

  • Select the default database location and Click on Next.
  • LDAPS on Windows Server database location

  • Click on Configure button to confirm.
  • LDAPS on Windows Server configure to confirm

  • Once the configuration succeeded and click on Close button.
  • LDAPS on Windows Server configuration succeeded

1.2: Create certificate template

  • Go to Windows Key+R and run certtmpl.msc command and choose the Kerberos Authentication Template.
  • LDAPS on Windows Server certificate authority

  • Right-click on Kerberos Authentication and then select Duplicate Template.
  • LDAPS on Windows Server duplicate kerberos authenticator template

  • The Properties of New Template will appear. Configure the setting according to your requirements.
  • Go to the General tab and Enable publish certificate in Active Directory option.
  • LDAPS on Windows Server general settings

  • Go to the Request Handling Tab and Enable ‘Allow private key to be exported’ option.
  • LDAPS on Windows Server ldap certificate install

  • Go to the Subject Name tab and Enable subject name format as DNS Name and click on Apply & OK button.
  • LDAPS on Windows Server subject name settings

1.3: Issue certificate template

  • Go to Start -> Certification Authority Right click on "Certificate Templates" and select New-> Certificate Template to Issue.
  • LDAPS on Windows Server certificate authority

  • Now, select your recently created Certificate Template and click on ok button.
  • LDAPS on Windows Server duplicate kerberos authenticator template

1.4: Request new certificate for created certificate template

  • Go to Windows Key+R -> mmc -> File -> Add/Remove snap-in. Select Certificates, and click on Add button and then click on Ok button .
  • LDAPS on Windows Server certificate authority

  • Select Computer account option and click on Next button.
  • LDAPS on Windows Server select computer account

  • Select Local computer option and click on Finish button.
  • LDAPS on Windows Server select local computer

  • Now, right Click on Certificates select All Tasks and click on Request for new Certificate.
  • LDAPS on Windows Server select all tasks

  • Click on Next button.
  • LDAPS on Windows Server continue with task

  • Click on Next button.
  • LDAPS on Windows Server environment policy

  • Select your certificate and click on Enroll button.
  • LDAPS on Windows Server enroll certificate

  • Click on Finish button.
  • LDAPS on Windows Server enroll certificate successfully

1.5: Export the created certificate

  • Right click on recently generated certificate and select All tasks -> Export.
  • LDAPS on Windows Server export generated certificate

  • Click on Next button.
  • LDAPS on Windows Server duplicate kerberos authenticator

  • Select Do not export the private key option and click on Next button.
  • LDAPS on Windows Server don't export private key

  • Choose Base-64 encoded X .509 file format and click on Next.
  • LDAPS on Windows Server base-64 encoded

  • Export the .CER to your local system path and click on Next.
  • LDAPS on Windows Server export .cer

  • Click on Finish button to complete the certificate export.
  • LDAPS on Windows Server export certificate successfully

2. Configure LDAPS on the client side server

2.1: Convert Certificate Format and Install the Certificate using OpenSSL

  • To convert the certificate from .cer to .pem format you can use OpenSSL.
  • For Windows:
    • You can obtain this software from here: http://gnuwin32.sourceforge.net/packages/openssl.htm if you don’t already have it.
    • Copy the certificate file you generated in the previous step to the machine on which PHP is running. Run the following command:
      For example:
      C:\openssl\openssl x509 -in mOrangeLDAPS.cer -out mOrangeLDAPS.pem
      This creates the certificate file in a form that OpenLDAP Client Library can use.
    • Place the .pem file generated in a directory of your choosing (C:\openldap\sysconf may be a good choice since that directory already exists.)
    • Add the following line to your ldap.conf file:
      TLS_CACERT C:\openldap\sysconf\mOrangeLDAPS.pem
    • This directive tells the OpenLDAP Client Library about the location of the certificate, so that it can be picked up during initial connection.

  • For Linux:
    • Run the following command to install the Openssl.
      • For Ubuntu:
        • sudo apt-get install openssl

      • For RHEL/CentOS:
        • yum install openssl

      • Copy the certificate file you generated in the previous step to the machine on which PHP is running. Run the following command:
        For example:
        /openssl x509 -in mOrangeLDAPS.cer -out mOrangeLDAPS.pem
        This creates the certificate file in a form that OpenLDAP Client Library can use.
      • Place the .pem file generated in a directory of your choosing (/etc/openldap/ may be a good choice since that directory already exists.)
      • Add the following line to your ldap.conf file:
        TLS_CACERT /etc/openldap/mOrangeLDAPS.pem
      • This directive tells the OpenLDAP Client Library about the location of the certificate, so that it can be picked up during initial connection.

2.2: Install certificate in JAVA Keystore.

  • Run the following command to install the certificate in cacerts.
  • For Windows:
      keytool -importcert -alias "mOrangeLDAPS"
      -keystore "C:\Program Files\Java\jre1.8.0_231\lib\security\cacerts"
      -file "C:\Users\Administrator\Documents\mOrangeLDAPS.cer"

  • For Linux:
      keytool -importcert -alias "mOrangeLDAPS"
      -keystore "/usr/java/jdk1.8.0_144/jre/lib/security/cacerts"
      -file "/home/mOrangeLDAPS.cer"

  • Restart your web server.

3. Test Connection

  • For Linux:
      ldapsearch -ZZ -h ad_host.example.com -D some_user@EXAMPLE.COM -W -b OU=users,DC=EXAMPLE,DC=COM dn
      • ZZ: Start TLS (for LDAPS)
      • h: IP/hostname of Active Directory server
      • D: BindDN or User principal name
      • W: Password (to be provided interactively)
      • b: Base DN for search (where in the LDAP tree to start looking)

  • For Windows:

    [Role Required: Admin]

    • Ensure that Windows Support Tools are installed on the domain controller (DC).
    • The Support Tools setup (suptools.msi) can be found in the \Support\Tools directory on your Windows Server CD.
    • Select Start >> All Program >> Windows Support Tools >> Command Prompt. On the command line, type IDP to start the tool.
    • From the IDP window, select Connection >> Connect and supply the local FQDN and port number (636). Also select the SSL.

  • If successful, a window displays and lists information related to the Active Directory SSL connection. If the connection is unsuccessful, try restarting your system and repeat this procedure.


Further References

Want To Schedule A Demo?

Request a Demo
  



Our Other Identity & Access Management Products