Summary
Question
This document explains how to config LDAPS(https) in Active Direcotry.
Answer
1. Create root certificate
cmd> openssl genrsa -aes256 -out ca_private.key 4096
openssl req -new -x509 -days 3650 -key ca_private.key -out ca_public.crt
example)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
C:\Author\ssl_scripts_v1.93>openssl genrsa -aes256 -out ca_private.key 4096
Loading 'screen' into random state - done
Generating RSA private key, 4096 bit long modulus
................................................................................
.......................................................++
................................................................................
........................................................++
e is 65537 (0x10001)
Enter pass phrase for ca_private.key: <----- type 'changeit' which is private key's password
Verifying - Enter pass phrase for ca_private.key:
C:\Author\ssl_scripts_v1.93>
C:\Author\ssl_scripts_v1.93>openssl req -new -x509 -days 3650 -key ca_private.key -out ca_public.crt
Enter pass phrase for ca_private.key:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []: <---- type 'SelfSigned for LDAPS by Author'
Email Address []:
C:\Author\ssl_scripts_v1.93>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2. Import root certificate into trusted store of domain controller
PowerShell > Import-Certificate -FilePath ca_public.crt -CertStoreLocation Cert:\LocalMachine\Root;
--> 'ca_public.crt' is imported into 'Trusted Root Certificate Authorities'
example)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PS C:\Author\ssl_scripts_v1.93> Import-Certificate -FilePath ca_public.crt -CertStoreLocation Cert:\LocalMachine\Root;
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
Thumbprint Subject
---------- -------
E7383252B91A891EB33E5F2B3798B35E359204FA CN=SelfSigned for LDAPS by Author, O=Internet Widgits Pty Ltd, S=Some-State,...
PS C:\Author\ssl_scripts_v1.93>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- for verifying it
a. execute certmgr.msc
b. goto folder, "Trusted Root Certification Authorities"
c. verify that ce_publi.crt is imported
3. Create client certificate
- create text file, ldapcert.inf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=hostname1.domain1.com"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1 ; Server Authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- create ldap certificate information file,
cmd> certreq -new ldapcert.inf ldapcert.csr
example)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
C:\Author\ssl_scripts_v1.93>certreq -new ldapcert.inf ldapcert.csr
CertReq: Request Created
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- create text file, v3ext.txt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=serverAuth
subjectKeyIdentifier=hash
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- create certificate,
cmd> openssl x509 -req -days 3650 -in ldapcert.csr -CA ca_public.crt -CAkey ca_private.key -extfile v3ext.txt -set_serial 01 -out ldapcert.crt
example)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
C:\Author\ssl_scripts_v1.93>openssl x509 -req -days 3650 -in ldapcert.csr -CA ca_public.crt -CAkey ca_private.key -extfile v3ext.txt -set_serial 01 -out ldapcert.crt
Loading 'screen' into random state - done
Signature ok
subject=/CN=pue01vm1232.pue01vm1232.swinfra.net
Getting CA Private Key
Enter pass phrase for ca_private.key:
C:\Author\ssl_scripts_v1.93>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- verify generated certificate,
cmd> openssl x509 -in ldapcert.crt -text
example)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
C:\Author\SAML\ssl_scripts_v1.93>openssl x509 -req -days 3650 -in ldapcert.csr -CA ca_public.crt -CAkey ca_private.key -extfile v3ext.txt -set_serial 01 -out ldapcert.crt
Loading 'screen' into random state - done
Signature ok
subject=/CN=hostname1.domain1.com <------------------------- LDAP Server's FQDN
Getting CA Private Key
Enter pass phrase for ca_private.key:
C:\Author\SAML\ssl_scripts_v1.93>openssl x509 -in ldapcert.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=SelfSigned for LDAPS by Author
Validity
Not Before: Jan 18 08:50:44 2021 GMT
Not After : Jan 16 08:50:44 2031 GMT
Subject: CN=hostname1.domain1.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b9:a0:00:e1:e8:09:da:54:99:a5:d3:d7:12:0f:
d4:1c:ab:a5:4e:f4:44:b2:4d:a5:36:ce:c0:14:ab:
13:52:7c:8c:e9:66:5a:db:cd:31:ff:3a:6f:b2:59:
d0:2b:ee:b4:c4:d2:5a:6b:71:2e:93:a9:9c:36:bd:
02:a7:6c:fa:34:a0:6b:55:b7:3f:5d:9d:7a:21:6d:
d2:b7:c1:17:e9:16:cf:d2:6a:01:de:95:f6:13:66:
9d:bb:ac:54:9a:a5:6d:ac:0e:c2:8c:c6:67:3a:02:
c8:1f:6a:8b:ec:22:b9:56:a0:98:86:15:ef:91:38:
52:ea:de:de:15:72:43:07:9b:ff:12:3d:ca:82:af:
43:f2:0b:f2:be:5a:99:76:d4:e6:b4:48:00:21:89:
19:4d:98:16:53:25:1b:6a:09:c3:56:02:ba:d2:f3:
0f:0b:a6:ff:e8:2e:86:bc:47:d8:72:96:25:1a:2e:
c6:a4:97:ef:fe:ec:85:33:6e:6b:c1:e8:e7:a7:f4:
b5:81:b5:7d:67:9e:58:3d:ac:1c:3a:a4:89:1c:12:
5c:77:36:4e:af:82:96:de:95:ef:1f:38:35:17:21:
16:8f:67:6f:1a:df:c9:9b:26:f9:4e:1a:6c:66:35:
58:22:fb:c6:32:78:43:c0:19:d5:d6:b2:aa:b0:8b:
d6:5d
Exponent: 65537 (0x10001)
X509v3 extensions: <------------ X509 extentions
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
75:6E:53:A5:A3:6E:90:8B:AC:62:7C:5B:DB:9C:82:8E:F2:84:6A:F8
Signature Algorithm: sha256WithRSAEncryption
1f:5c:0a:62:c7:77:28:93:68:42:f1:df:5a:f4:47:9f:b8:05:
6a:c5:e8:bf:4e:7f:ba:3b:6c:53:3c:e3:72:85:21:5e:3d:5a:
86:72:52:a0:10:17:f2:14:9a:14:11:2b:1b:02:60:1d:36:31:
8f:67:9c:7b:dc:aa:50:9c:26:f0:77:d0:5e:89:4d:46:72:de:
d8:e3:2c:c5:64:de:a0:15:d0:fd:74:ec:b9:52:c7:33:0f:6c:
cf:40:29:c4:f4:e2:0d:7d:aa:5c:8e:5a:11:b6:3b:11:d9:39:
c7:f6:23:89:b2:ac:20:3d:13:f5:68:11:7e:9b:7f:9e:57:b9:
82:88:3b:9a:36:2e:2d:83:4f:97:df:0a:9d:44:05:8d:62:f5:
6b:e9:62:5f:bc:92:f5:58:3f:ed:54:6e:73:1e:81:61:09:0d:
44:92:7d:7b:36:3b:f1:bd:ee:ee:ed:bd:d3:c2:36:ac:46:38:
f8:c9:a8:3d:ed:1c:cc:93:c7:03:1e:af:e5:4d:63:b9:ac:45:
c4:8b:d6:1f:26:f1:ff:48:3f:21:63:a0:d6:62:a4:24:0f:6e:
a7:fe:e7:09:ae:5d:36:e4:fc:4f:b3:96:e9:67:cf:bc:97:99:
75:dc:9f:1c:29:02:e7:79:84:ad:58:d6:61:fd:26:e4:42:f4:
c7:e3:16:71:7f:6c:d4:53:41:07:67:61:c5:f8:57:4e:93:05:
a4:55:2a:83:37:8a:7a:df:c1:38:03:77:cf:3f:3b:97:81:da:
db:1c:44:5f:51:d7:54:d4:24:17:de:09:13:e5:cd:70:39:85:
7e:0e:bf:6c:ab:71:2b:8e:f5:cf:8d:3a:53:9c:4c:7d:b4:da:
75:09:a5:f9:1a:c8:c1:c1:3b:7b:50:a7:3c:93:7b:77:0f:c2:
1b:e3:ea:2b:8d:46:42:4a:1f:6c:ac:ac:f6:26:fb:be:55:14:
56:1d:d8:57:43:8b:05:9f:b8:08:ac:13:40:45:1d:a4:22:ce:
04:99:72:fc:56:93:49:b2:26:2d:76:f8:6f:f6:fe:0a:29:78:
93:15:d1:fc:60:c4:29:99:a0:16:33:ce:f0:e7:be:73:89:73:
00:05:a9:0a:86:07:90:ac:b7:9b:7a:00:2d:e6:51:3b:8d:80:
a7:f6:49:b5:75:8f:9d:84:81:98:b4:22:e4:c8:e9:56:16:19:
8a:e3:1c:13:08:f0:c8:39:33:71:45:d6:01:6c:cc:25:e1:f9:
3f:5a:ca:70:76:1a:25:43:51:14:2c:a8:7a:eb:eb:99:f8:2c:
b3:6e:94:a5:ce:4c:e8:bf:be:a3:3d:ed:da:be:5f:7a:8b:57:
38:18:fb:5e:f9:50:39:b1
-----BEGIN CERTIFICATE-----
MIIERTCCAi2gAwIBAgIBATANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJBVTET
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
dHkgTHRkMSUwIwYDVQQDDBxTZWxmU2lnbmVkIGZvciBMREFQUyBieSBFcmljMB4X
DTIxMDExODA4NTA0NFoXDTMxMDExNjA4NTA0NFowGzEZMBcGA1UEAwwQZTgxMDEu
ZTgxMDFkLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmgAOHo
CdpUmaXT1xIP1ByrpU70RLJNpTbOwBSrE1J8jOlmWtvNMf86b7JZ0CvutMTSWmtx
LpOpnDa9Aqds+jSga1W3P12deiFt0rfBF+kWz9JqAd6V9hNmnbusVJqlbawOwozG
ZzoCyB9qi+wiuVagmIYV75E4Uure3hVyQweb/xI9yoKvQ/IL8r5amXbU5rRIACGJ
GU2YFlMlG2oJw1YCutLzDwum/+guhrxH2HKWJRouxqSX7/7shTNua8Ho56f0tYG1
fWeeWD2sHDqkiRwSXHc2Tq+Clt6V7x84NRchFo9nbxrfyZsm+U4abGY1WCL7xjJ4
Q8AZ1dayqrCL1l0CAwEAAaNDMEEwCwYDVR0PBAQDAgWgMBMGA1UdJQQMMAoGCCsG
AQUFBwMBMB0GA1UdDgQWBBR1blOlo26Qi6xifFvbnIKO8oRq+DANBgkqhkiG9w0B
AQsFAAOCAgEAH1wKYsd3KJNoQvHfWvRHn7gFasXov05/ujtsUzzjcoUhXj1ahnJS
oBAX8hSaFBErGwJgHTYxj2ece9yqUJwm8HfQXolNRnLe2OMsxWTeoBXQ/XTsuVLH
Mw9sz0ApxPTiDX2qXI5aEbY7Edk5x/YjibKsID0T9WgRfpt/nle5gog7mjYuLYNP
l98KnUQFjWL1a+liX7yS9Vg/7VRucx6BYQkNRJJ9ezY78b3u7u2908I2rEY4+Mmo
Pe0czJPHAx6v5U1juaxFxIvWHybx/0g/IWOg1mKkJA9up/7nCa5dNuT8T7OW6WfP
vJeZddyfHCkC53mErVjWYf0m5EL0x+MWcX9s1FNBB2dhxfhXTpMFpFUqgzeKet/B
OAN3zz87l4Ha2xxEX1HXVNQkF94JE+XNcDmFfg6/bKtxK471z406U5xMfbTadQml
+RrIwcE7e1CnPJN7dw/CG+PqK41GQkofbKys9ib7vlUUVh3YV0OLBZ+4CKwTQEUd
pCLOBJly/FaTSbImLXb4b/b+Cil4kxXR/GDEKZmgFjPO8Oe+c4lzAAWpCoYHkKy3
m3oALeZRO42Ap/ZJtXWPnYSBmLQi5MjpVhYZiuMcEwjwyDkzcUXWAWzMJeH5P1rK
cHYaJUNRFCyoeuvrmfgss26Upc5M6L++oz3t2r5feotXOBj7XvlQObE=
-----END CERTIFICATE-----
C:\Author\SAML\ssl_scripts_v1.93>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Ensure the following X509v3 extensions are all present:
X509v3 Key Usage: Digital Signature, Key Encipherment
X509v3 Extended Key Usage: TLS Web Server Authentication
X509v3 Subject Key Identifier
4. Accept and import certificate
- From the active directory server with ldapcert.crt present, run the following:
C:\> certreq -accept ldapcert.crt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
C:\Author\ssl_scripts_v1.93>certreq -accept ldapcert.crt
C:\Author\ssl_scripts_v1.93>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5. Reload active directory SSL certificate(Binding)
- create text file, ldap-renewservercert.txt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
dn:
changetype: modify
add: renewServerCertificate
renewServerCertificate: 1
-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- binding new certificate file
cmd> ldifde -i -f ldap-renewservercert.txt
@Author,
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
C:\Author\SAML\ssl_scripts_v1.93>ldifde -i -f ldap-renewservercert.txt
Connecting to "hostname1.domain1.com"
Logging in as current user using SSPI
Importing directory from file "ldap-renewservercert.txt"
Loading entries..
1 entry modified successfully.
The command has completed successfully
C:\Author\SAML\ssl_scripts_v1.93>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
6. Verify with LDP tool
- goto any Windows Server which has Active Directory.
cmd> ldp
1) connect LDAP(http)
server: hostname1.domain1.com
port: 389
( ) Connectionless
( ) SSL
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ld = ldap_open("hostname1.domain1.com", 389);
Established connection to hostname1.domain1.com.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=domain1,DC=com;
currentTime: 1/19/2021 3:40:45 PM Korea Standard Time;
defaultNamingContext: DC=domain1,DC=com;
dnsHostName: hostname1.domain1.com;
domainControllerFunctionality: 6 = ( WIN2012R2 );
domainFunctionality: 6 = ( WIN2012R2 );
dsServiceName: CN=NTDS Settings,CN=hostname1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain1,DC=com;
forestFunctionality: 6 = ( WIN2012R2 );
highestCommittedUSN: 57387;
isGlobalCatalogReady: TRUE;
isSynchronized: TRUE;
ldapServiceName: domain1.com:hostname1$@domain1.COM;
namingContexts (5): DC=domain1,DC=com; CN=Configuration,DC=domain1,DC=com; CN=Schema,CN=Configuration,DC=domain1,DC=com; DC=DomainDnsZones,DC=domain1,DC=com; DC=ForestDnsZones,DC=domain1,DC=com;
rootDomainNamingContext: DC=domain1,DC=com;
schemaNamingContext: CN=Schema,CN=Configuration,DC=domain1,DC=com;
serverName: CN=hostname1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain1,DC=com;
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=domain1,DC=com;
supportedCapabilities (6): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080 = ( ACTIVE_DIRECTORY_V61_R2 ); 1.2.840.113556.1.4.2237 = ( ACTIVE_DIRECTORY_W8 );
supportedControl (37): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS_DEPRECATED ); 1.2.840.113556.1.4.2090 = ( DIRSYNC_EX ); 1.2.840.113556.1.4.2205 = ( UPDATE_STATS ); 1.2.840.113556.1.4.2204 = ( TREE_DELETE_EX ); 1.2.840.113556.1.4.2206 = ( SEARCH_HINTS ); 1.2.840.113556.1.4.2211 = ( EXPECTED_ENTRY_COUNT ); 1.2.840.113556.1.4.2239 = ( POLICY_HINTS ); 1.2.840.113556.1.4.2255; 1.2.840.113556.1.4.2256;
supportedLDAPPolicies (19): MaxPoolThreads; MaxPercentDirSyncRequests; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxBatchReturnMessages; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; MaxValRangeTransitive; ThreadMemoryLimit; SystemMemoryLimitPercent;
supportedLDAPVersion (2): 3; 2;
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
-----------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2) connect LDAPS(https)
server: hostname1.domain1.com
port: 636
( ) Connectionless
(*) SSL
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ld = ldap_sslinit("hostname1.domain1.com", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to hostname1.domain1.com.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=domain1,DC=com;
currentTime: 1/18/2021 5:53:39 PM Korea Standard Time;
defaultNamingContext: DC=domain1,DC=com;
dnsHostName: hostname1.domain1.com;
domainControllerFunctionality: 6 = ( WIN2012R2 );
domainFunctionality: 6 = ( WIN2012R2 );
dsServiceName: CN=NTDS Settings,CN=hostname1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain1,DC=com;
forestFunctionality: 6 = ( WIN2012R2 );
highestCommittedUSN: 53289;
isGlobalCatalogReady: TRUE;
isSynchronized: TRUE;
ldapServiceName: domain1.com:hostname1$@domain1.COM;
namingContexts (5): DC=domain1,DC=com; CN=Configuration,DC=domain1,DC=com; CN=Schema,CN=Configuration,DC=domain1,DC=com; DC=DomainDnsZones,DC=domain1,DC=com; DC=ForestDnsZones,DC=domain1,DC=com;
rootDomainNamingContext: DC=domain1,DC=com;
schemaNamingContext: CN=Schema,CN=Configuration,DC=domain1,DC=com;
serverName: CN=hostname1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain1,DC=com;
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=domain1,DC=com;
supportedCapabilities (6): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080 = ( ACTIVE_DIRECTORY_V61_R2 ); 1.2.840.113556.1.4.2237 = ( ACTIVE_DIRECTORY_W8 );
supportedControl (37): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS_DEPRECATED ); 1.2.840.113556.1.4.2090 = ( DIRSYNC_EX ); 1.2.840.113556.1.4.2205 = ( UPDATE_STATS ); 1.2.840.113556.1.4.2204 = ( TREE_DELETE_EX ); 1.2.840.113556.1.4.2206 = ( SEARCH_HINTS ); 1.2.840.113556.1.4.2211 = ( EXPECTED_ENTRY_COUNT ); 1.2.840.113556.1.4.2239 = ( POLICY_HINTS ); 1.2.840.113556.1.4.2255; 1.2.840.113556.1.4.2256;
supportedLDAPPolicies (19): MaxPoolThreads; MaxPercentDirSyncRequests; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxBatchReturnMessages; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; MaxValRangeTransitive; ThreadMemoryLimit; SystemMemoryLimitPercent;
supportedLDAPVersion (2): 3; 2;
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
-----------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
https://astrix.co.uk/news/2020/1/31/how-to-set-up-secure-ldap-for-active-directory#CSR
https://astrix.co.uk/news/2020/1/31/how-to-set-up-secure-ldap-for-active-directory#selfsigned
https://bl.ocks.org/magnetikonline/0ccdabfec58eb1929c997d22e7341e45