Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does LDAP over SSL require a cert on the client?

I am trying to resolve a problem whereby trying to set a users password over LDAP is failing because of an access denied error - even though I am authenticating against the AD with an admin user.

An answer found in stackoverflow says that either I have to run the IIS user as the admin user (which does work) or i should connect to LDAP via SSL. I cant go with the first option because I am using Elastic Beanstalk which will create and terminate instances so i cant change/set the user that IIS will be running as. So I am trying to use the LDAP over SSL idea. My question is does that still require that the client itself also have a certificate installed in order to establish trust with the Domain controller? Or does this work just by installing a cert on the Domain controller and allowing the connection over SSL? If it requires a certificate on the client then I have the same problem as i cant install anything on the client server other than the deployed app since Beanstalk is going to recereate and terminate that instance at will.

So does LDAPS require a cert on the client? Is there a better way to solve my problem given the infrastructure i am using?

like image 486
Gotts Avatar asked Nov 26 '14 13:11

Gotts


People also ask

Does LDAPS require a client certificate?

LDAPS Server Certificate Requirements. LDAPS requires a properly formatted X. 509 certificate on all your Windows DCs. This certificate lets a DC's LDAP service listen for and automatically accept SSL connections for both LDAP and Global Catalog (GC) traffic.

Does LDAP signing require a certificate?

LDAP Channel Binding requires that you install and distribute a TLS/SSL web certificate just like on a secure website. LDAP TLS/SSL connections are typically only used by Linux-compatible apps like ldp.


2 Answers

This is what I found using trial and error approach: Actually, LDAPS server always asks for client certificate. You can verify that by turning on SCHANNEL log and observing the following message:

enter image description here

If there is no client authentication certificate than LDAPS connection still succeeds, i.e. no client authentication certificate is required indeed. But if you have some invalid client authentication certificate (in my case it was an expired cert installed long ago by a third party app) the connection will fail w/o any error or warning in SCHANNEL log on the client side. It took me a while to figure this out.

like image 159
Slava Avatar answered Jan 03 '23 18:01

Slava


So does LDAPS require a cert on the client?

no, LDAPS do not require client certificate. Domain controller certificate is sufficient to utilize LDAPS. More details about LDAPS and certificate requirement: LDAP over SSL (LDAPS) Certificate

trying to set a users password over LDAP is failing because of an access denied error

there might be over9000 reasons why you receive this message. You need to check whether you are successfully authenticated on DC, if yes, check whether you have permissions and privileges (especially, if UAC is enabled). I would set up audit policies (on failed user password changes) and check Security eventlog to figure out what is going wrong.

like image 34
Crypt32 Avatar answered Jan 03 '23 17:01

Crypt32