DEV Community

loading...

Discussion on: Active Directory LDAPS the easy way

Collapse
bondr007 profile image
bondr007 Author

Hi Emanuel,

The communication between Active Directory and client machines is secured using a different protocol called kerberos for authentication. Domain joined machines such as your windows endpoints on windows 8.1 and 10 should not be effected since their traffic for authentication does not use LDAP or LDAPS, instead is uses a proprietary implementation of kerberos on port 88. LDAP and LDAPS are primarily used servers such as a web server that user Active Directory to authenticate users, or some client applications that query active directory. Some other examples are linux machines used with Active Directory can use LDAP(S), (there is also ways to use kerberos on linux domain joined machines), Mac OS uses LDAP(S) for authentication when joined to an active directory domain. When you enable LDAPS, LDAP 389 traffic does not go away. Microsoft has indefinitely extended the deadline. The March 2020 update did add the ability to enforce secure channel binding in LDAP: support.microsoft.com/en-us/help/4... I have not had the opportunity to test this yet.

Collapse
ema07cqc profile image
Emanuel

Hi there. Hope you are doing well and safe.
I followed your tutorial 20 days ago and everything is working well (Windows Workstations i.e).
The connection from a linux to the main server is OK, using:
openssl s_client -connect srv-ad-01.mydomain.local:636 -CAfile ca.crt

but its not working when trying to connect the other 3 DCs (where I imported pfx). Im getting this error:

CONNECTED(00000003)
write:errno=104
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 0 bytes
New, (NONE), Cipher is (NONE)

I followed this guide to import the PFX file:
How to Install Certificates on Microsoft Active Directory LDAP 2012

There is another way to import that pfx file?

Thanks again.

Thread Thread
bondr007 profile image
bondr007 Author

Hi Emanuel,

Sorry it took so long to reply.

You can export the cert/privatekey and import them on the rest of your domain controllers using the commands listed here to do this:
github.com/bondr007/HowTo-ActiveDi...

Collapse
ema07cqc profile image
Emanuel

Hi there! First of all, thank you so much for your time and dedication to answer my question. Very clear! I did not know that workstations used Kerberos... So I'm going to go through those steps. Thank you very much again and have a good week!!!

Emanuel.