Configure LDAP SSL

Secure connection to LDAP by using Certificate.

Setup LDAPS (LDAP over SSL)

Click on Start –> Server Manager –> Add Roles and Features. Click Next.

v25

Choose Role-based or feature-based installation. Click Next.

v26

Select The server from the server pool. Click Next.

v27

Choose Active Directory Certificate Services from the list of roles and click Next.

v28

Choose nothing from the list of features and click Next.

v29

Click Next.

v30

Mark “Certificate Authority” from the list of roles and click Next.

v31

Click Install to confirm installation.

v32

Once the installation is complete, Click Close.

v33


Now let’s create a certificate using AD CS Configuration Wizard. To open the wizard, click on “Configure Active Directory Certificate Services on the destination server” in the above screen. And then click Close.

v34

Choose Certification Authority from the list of roles. Click Next.

v35

Since this is a local box setup without a domain, we are going to choose a Standalone CA. Click Next.

v36

Choosing Root CA as the type of CA, click Next.

v37

Since we do not possess a private key – let’s create a new one. Click Next.

v38

Choosing SHA1 as the Hash algorithm. Click Next.

UPDATE : Recommended to select the most recent hashing algorithm since SHA-1 deprecation countdown

v39

The name of the CA must match the Hostname (requirement number 2). Enter “LDAPSTEST” and Click Next.

v40

Specifying the validity period of the certificate. Choosing Default 5 years. Click Next.

v41

Choosing default database locations, click Next.

v42

Click Configure to confirm.

v43

Once the configuration is successful/complete. Click Close.

v44

1. On your CA Server launch the Certification Authority Management Console > Certificate Templates > Right Click > Manage.

Server 2012 Manage Certificates

2. Locate the Kerberos Authentication certificate > Make a Duplicate.

PKI Duplicate Template

3. General Tab > Call it ‘LDAPoverSSL’ > Set its validity period

LDAPoverSSL Certificate

4. Request Handling Tab > Select ‘Allow private key to be exported’ > Apply > OK.

Allow Private Key to be Exported

5. Right click Certificate Templates again > Certificate Template to issue.

2012 Issue Digital Certificate

6. Locate and select the ‘LDAPoverSSL’ certificate > OK.

PKI Templates

7. Now logon to a DOMAIN CONTROLLER > Windows Key+R > mmc {Enter} > File > Add/Remove Snap-in > Add in the Certificates Snap-In > Computer account > Finish > OK > Expand Certificates > Personal > Certificates > Right Click > All Tasks > Request New Certificate > Next > Next.

  • you will need to restart the domain controller.
Request New Certificate

8. Select the LDAPoverSSL Certificate > Enroll > Close the Certificate Snap-in.

Enroll for LDAPS

Now let us try to connect to LDAP Server (with SSL) using the ldp.exe tool.

Click on Start –> Search ldp.exe –> Connection and fill in the following parameters and click OK to connect:

v57

If connection is successful, you will see the following message in the ldp.exe tool:

v58

4 thoughts on “Configure LDAP SSL

  1. Heya i am for the first time here. I came across this board and I to find It really useful & it helped me out a lot. I’m hoping to give one thing again and help others like you helped me.

    Liked by 1 person

  2. I do enjoy the way you have presented this concern and it really does present me some fodder for consideration. On the other hand, from just what I have seen, I just simply trust when the commentary stack on that people continue to be on issue and don’t start upon a soap box regarding some other news of the day. Still, thank you for this fantastic point and although I do not agree with the idea in totality, I regard your point of view.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.