Configure Active Directory with SSL - Revision history

Ddebyttere at 13:10, 7 May 2012

2012-05-07T13:10:31Z

← Older revision		Revision as of 13:10, 7 May 2012
Line 9:		Line 9:
	<h2>Setting up Active Directory for SSL access</h2>		<h2>Setting up Active Directory for SSL access</h2>

-	Make sure that the Certificate Authority is installed on the DC running your Active Directory. ~~If it is not installed, you can install it as follows:~~	+	Make sure that the Certificate Authority is installed on the DC running your Active Directory.

		+	<h4>Windows 2003</h4>
		+	If it is not installed, you can install it as follows:
	# Click '''Start''' -> '''Control Panel''' -> '''Add or Remove Programs'''		# Click '''Start''' -> '''Control Panel''' -> '''Add or Remove Programs'''
	# Click ''Add/Remove Windows Components'' and select '''Certificate Services'''		# Click ''Add/Remove Windows Components'' and select '''Certificate Services'''
	# Follow the procedure provided to install the Certificate Services CA.		# Follow the procedure provided to install the Certificate Services CA.

		+	<h4>Windows 2008</h4>
		+	Follow:
		+	http://blogs.msdn.com/b/sowmyancs/archive/2010/02/12/how-to-enable-active-directory-certificate-service-in-your-windows-server-2008-r2.aspx
		+
		+	<h4>Linux</h4>
	After installation, you must reboot your Active Directory server to make sure the Active Directory server is accepting TLS/SSL connections.		After installation, you must reboot your Active Directory server to make sure the Active Directory server is accepting TLS/SSL connections.

Ddebyttere at 13:04, 7 May 2012

2012-05-07T13:04:31Z

← Older revision		Revision as of 13:04, 7 May 2012
Line 1:		Line 1:
-	~~<div style="color:red;font-weight:bold;">This article is only for Windows 2003 and earlier</div>~~
-
	When integrating ZCP with a Microsoft's Active Directory Service (ADS) it is possible to administer users, groups and companies directly from ADS.		When integrating ZCP with a Microsoft's Active Directory Service (ADS) it is possible to administer users, groups and companies directly from ADS.
	This combines the scalability and low-cost advantages of ZCP on Linux, with the comfort of a well known front-end for administration to those already acquainted with ADS.		This combines the scalability and low-cost advantages of ZCP on Linux, with the comfort of a well known front-end for administration to those already acquainted with ADS.

Ddebyttere at 13:03, 7 May 2012

2012-05-07T13:03:38Z

← Older revision		Revision as of 13:03, 7 May 2012
Line 1:		Line 1:
-	When integrating ZCP with a Microsoft's Active Directory Service (ADS) it is possible to administer users, groups and companies directly from ADS. This combines the scalability and low-cost advantages of ZCP on Linux, with the comfort of a well known front-end for administration to those already acquainted with ADS.	+	<div style="color:red;font-weight:bold;">This article is only for Windows 2003 and earlier</div>
		+
		+	When integrating ZCP with a Microsoft's Active Directory Service (ADS) it is possible to administer users, groups and companies directly from ADS.
		+	This combines the scalability and low-cost advantages of ZCP on Linux, with the comfort of a well known front-end for administration to those already acquainted with ADS.

	The Zarafa Server connects with ADS by standard LDAP access over port 389 or 636 (SSL).		The Zarafa Server connects with ADS by standard LDAP access over port 389 or 636 (SSL).

Msartor at 15:01, 8 September 2010

2010-09-08T15:01:32Z

← Older revision		Revision as of 15:01, 8 September 2010
Line 2:		Line 2:

	The Zarafa Server connects with ADS by standard LDAP access over port 389 or 636 (SSL).		The Zarafa Server connects with ADS by standard LDAP access over port 389 or 636 (SSL).
		+
		+	This document has only been tested once on Windows 2003.

Admin at 12:22, 1 March 2010

2010-03-01T12:22:39Z

← Older revision		Revision as of 12:22, 1 March 2010
Line 4:		Line 4:


-	~~'''~~Setting up Active Directory for SSL access~~'''~~	+	<h2>Setting up Active Directory for SSL access</h2>

	Make sure that the Certificate Authority is installed on the DC running your Active Directory. If it is not installed, you can install it as follows:		Make sure that the Certificate Authority is installed on the DC running your Active Directory. If it is not installed, you can install it as follows:
Line 22:		Line 22:


-	~~'''~~Retrieving the CA certificate from ADS~~'''~~	+	<h2>Retrieving the CA certificate from ADS</h2>

	You can also retrieve the CA certificate from your local AD server so that all communication is local during LDAP accesses. To retrieve the certificate from the MS Windows Server:		You can also retrieve the CA certificate from your local AD server so that all communication is local during LDAP accesses. To retrieve the certificate from the MS Windows Server:

Admin at 12:20, 1 March 2010

2010-03-01T12:20:21Z

← Older revision		Revision as of 12:20, 1 March 2010
Line 8:		Line 8:
	Make sure that the Certificate Authority is installed on the DC running your Active Directory. If it is not installed, you can install it as follows:		Make sure that the Certificate Authority is installed on the DC running your Active Directory. If it is not installed, you can install it as follows:

-	# Click Start -> Control Panel -> Add or Remove Programs	+	# Click '''Start''' -> '''Control Panel''' -> '''Add or Remove Programs'''
-	# Click Add/Remove Windows Components and select Certificate Services	+	# Click ''Add/Remove Windows Components'' and select '''Certificate Services'''
	# Follow the procedure provided to install the Certificate Services CA.		# Follow the procedure provided to install the Certificate Services CA.

Line 26:		Line 26:
	You can also retrieve the CA certificate from your local AD server so that all communication is local during LDAP accesses. To retrieve the certificate from the MS Windows Server:		You can also retrieve the CA certificate from your local AD server so that all communication is local during LDAP accesses. To retrieve the certificate from the MS Windows Server:

-	# Click Start -> Control Panel -> Administrative Tools -> Certificate Authority to open the CA Microsoft Management Console (MMC) GUI.	+	# Click '''Start''' -> '''Control Panel''' -> '''Administrative Tools''' -> '''Certificate Authority''' to open the CA Microsoft Management Console (MMC) GUI.
-	# Highlight the CA machine and right-click to select Properties for the CA.	+	# Highlight the CA machine and right-click to select '''Properties''' for the CA.
-	# From General menu, click View Certificate.	+	# From General menu, click View '''Certificate'''.
-	# Select the Details view, and click the Copy to File button on the lower-right corner of the window.	+	# Select the '''Details''' view, and click the '''Copy to File''' button on the lower-right corner of the window.
	# Use the Certificate Export Wizard to save the CA certificate in a file. (Use ASCII mode)		# Use the Certificate Export Wizard to save the CA certificate in a file. (Use ASCII mode)

Admin: New page: When integrating ZCP with a Microsoft's Active Directory Service (ADS) it is possible to administer users, groups and companies directly from ADS. This combines the scalability and low-cos...

2010-03-01T12:17:42Z

New page: When integrating ZCP with a Microsoft's Active Directory Service (ADS) it is possible to administer users, groups and companies directly from ADS. This combines the scalability and low-cos...

New page

When integrating ZCP with a Microsoft's Active Directory Service (ADS) it is possible to administer users, groups and companies directly from ADS. This combines the scalability and low-cost advantages of ZCP on Linux, with the comfort of a well known front-end for administration to those already acquainted with ADS.

The Zarafa Server connects with ADS by standard LDAP access over port 389 or 636 (SSL).

'''Setting up Active Directory for SSL access'''

Make sure that the Certificate Authority is installed on the DC running your Active Directory. If it is not installed, you can install it as follows:

# Click Start -> Control Panel -> Add or Remove Programs
# Click Add/Remove Windows Components and select Certificate Services
# Follow the procedure provided to install the Certificate Services CA.

After installation, you must reboot your Active Directory server to make sure the Active Directory server is accepting TLS/SSL connections.

Now, you must configure your Linux server to connect to the SSL port of the Active Directory. This must be done in the system-wide configuration file /etc/ldap/ldap.conf with the configuration option TLS_CACERT. This must be configured to point to a CA (Certificate Authority) that can authorize the server certificate on the AD Server.
This can be done either by using the AD server itself as a Certificate Authority (CA) or by using an online CA server. The latter is not recommended due to the time it takes to request the certificate on the internet. If you want to use an online CA, you will need a line like

TLS_CACERTDIR /etc/ssl/certs

This assumes your CA certificates are installed in /etc/ssl/certs. Please refer to your Linux distribution's documentation on where to find the CA certificates or how to install them. (Tip: on debian, you must install the 'ca-certificates' package, while SuSE and RedHat install the certificates together with the 'openssl' package, sometimes in /usr/share/ssl/certs).

'''Retrieving the CA certificate from ADS'''

You can also retrieve the CA certificate from your local AD server so that all communication is local during LDAP accesses. To retrieve the certificate from the MS Windows Server:

# Click Start -> Control Panel -> Administrative Tools -> Certificate Authority to open the CA Microsoft Management Console (MMC) GUI.
# Highlight the CA machine and right-click to select Properties for the CA.
# From General menu, click View Certificate.
# Select the Details view, and click the Copy to File button on the lower-right corner of the window.
# Use the Certificate Export Wizard to save the CA certificate in a file. (Use ASCII mode)

The certificate will be saved as a .CER file, but you can simply rename the file to a .PEM file. The filename of the .PEM file is not important.
You can now copy the certificate to your Linux server, for example into /etc/ssl/certs/AD.pem
To use this certificate, please specify

TLS_CACERT /etc/ssl/certs/AD.pem

in your /etc/ldap/ldap.conf file, or use (also in /etc/ldap/ldap.conf)

TLS_CACERTDIR /etc/ssl/certs

to accept any CA in the /etc/ssl/certs directory. If you use TLS_CACERTDIR, you must also create the hash link in /etc/ssl/certs: In debian, this is accomplished by running 'update-ca-certificates'. In other Linux distributions, you must create the link manually with

$ ln -s /etc/ssl/certs/AD.pem `openssl x509 -noout -hash -in /etc/ssl/certs/AD.pem`

You can check whether the SSL connection is working and see what is happening by issuing the command:

$ openssl s_client -connect <ip>:636 -CApath /etc/ssl/certs

To test whether the SSL connection is working correctly with LDAP, try the following command:

$ ldapsearch -x -H ldaps://ads.domain.com -b <BASEDN> -D <binddn> -w <password>

If ldapsearch fails, while the s_client test returns with 'Verify return code 0 (ok)', please make sure that the URL you are connecting with after the -H option contains the exact same hostname as is specified behind CN= in the output of s_client (at the very beginning of the output from s_client).