Contents

 
 User Management Resource Administrator - Documentation Library
Expand UMRA Basics
Expand Getting Started
Expand Introduction to UMRA COM
Expand Windows Printer Queue Management
Expand Managing Windows computer services
Collapse Managing LDAP directory services
    Introduction
    Concept
   Expand UMRA LDAP script actions
   Expand Directory Service tasks
   Expand Novell eDirectory
   Expand Linux OpenLDAP
   Collapse Microsoft Active Directory
       Introduction
       Secure LDAP Active Directory environment
      Expand Creating user accounts in Microsoft Active Directory using LDAP
       Searching accounts and resetting passwords in Microsoft Active Directory using LDAP
       Updating group memberships in Microsoft Active Directory using LDAP
    References
Expand Name Generation
Expand UMRA Tables User Guide
Expand UMRA Automation
Expand Lotus Notes Configuration
Expand Reference Guide
Expand Release Notes
 Index
UMRA Home|Documentation|Features|Screenshots|Download trial|Download free trial|Request price quote

Previous Topic

Next Topic

Synchronize Contents

Index

Secure LDAP Active Directory environment

By default, the Microsoft LDAP implementation does not support secure LDAP. To setup secure LDAP using SSL, certificates must be installed on both sides, the LDAP Server and LDAP Client. In this case, the LDAP Server is the domain controller running Active Directory. The LDAP Client is the UMRA software, either the UMRA Console application or the UMRA Service.

The certificates required to run secure LDAP using SSL can be configured in many ways. The concept is always the same:

  1. The Active Directory domain controller uses a special certificate that is issued by a trusted certification authority.
  2. The UMRA software (computer) trusts the certification authority that issues the certificate to the Active Directory domain controller.

Creating the certificate listed in step 1 requires a special procedure, as described in article Q321051. In this document, the same steps are used and described. Also, the procedure to setup a Certification Authority is described.

First, a certificate request is created. Next, a Certification Authority (CA) is setup and the certificate is signed, e.g. issued by the certification authority. Finally, the root certificate of the certification authority is exported and then imported by the computer that runs the UMRA software.

In this procedure the environment used runs Active Directory on Windows 2003 Standard Edition. For Windows 2000, a similar procedure can be used. The Certification Authority is installed on a Windows 2003 domain controller. For other versions, the procedure might be different.

Creating an Active Directory domain controller certificate request

Log on to domain controller

This topic follows the guidelines of article Q321051. Log on to the domain controller (LDAP Server) with an enterprise administrator account.

To create the certificate request, the certreq.exe program is used. The certreq.exe program is part of the Windows installation and requires a text input file to generate a certificate request.

With your favorite ASCII editor (notepad.exe?), create a file with the following contents:

[Version]

Signature="$Windows NT$"

[NewRequest]

Subject = "CN=king.tools4ever.local3"

; replace with the FQDN of the DC

KeySpec = 1

KeyLength = 2048

; Can be 1024, 2048, 4096, 8192, or 16384.

; Larger key sizes are more secure, but have

; a greater impact on performance.

Exportable = TRUE

MachineKeySet = TRUE

SMIME = False

PrivateKeyArchive = FALSE

UserProtected = FALSE

UseExistingKeySet = FALSE

ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

ProviderType = 12

RequestType = PKCS10

KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1

In the file, the entry regarding the subject,

Subject = "CN=king.tools4ever.local3"

must be changed to contain the fully qualified domain name of the Active Directory domain controller that is going to support secure LDAP. Example:

Subject = "CN=OtherServer.mydomain.com"

Save the file to ldapcert.inf. From a command prompt, create the request file with certreq.exe:

certreq -new ldapcert.inf ldapcert.req

A new file is now created: ldapcert.req. This is the base64 encoded request file and it contains something like this:

-----BEGIN NEW CERTIFICATE REQUEST-----

MIIELDCCAxQCAQAwITEfMB0GA1UEAxMWa2luZy50b29sczRldmVyLmxvY2FsMzCC

ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANFwryRM0qxBNQKr/fQlZrbL

gqs9LMWFSolAzVA342N2RisBLXVFtuoNxZPkD0UIQmcLLjwBA8svmVsfLRMa+0yg

GKnxYkrpVLOwGkEsLtPKKrt/ZfS1IeChkTSC7xZ2U/ajx0qVqUyxtEfGvNl9t7gO

Qr5o0f4Ydeld70Y42J2uxmYophZQQrwfDxdE8RB98TjXm+ATdVbKw500Egv7oYD9

E5eH7tk3BVNzL65n+MdUTl3jtg7LiivFBbZrDy4WbDjQDcBTx8T98E6sgtOt5iMU

W3rdpPtg8kPWwCDCFPCaXTeaRnGWx5QlvfanoOml/EhxclXi82vCAH6HkTzy8rUC

AwEAAaCCAcQwGgYKKwYBBAGCNw0CAzEMFgo1LjIuMzc5MC4yMFAGCSqGSIb3DQEJ

DjFDMEEwHQYDVR0OBBYEFHf9nSUn4NT5wX9p4jI2tcwHS/2eMBMGA1UdJQQMMAoG

CCsGAQUFBwMBMAsGA1UdDwQEAwIFoDBUBgkrBgEEAYI3FRQxRzBFAgEBDB9jb3Vu

dC5ub2JpbGl0eS50b29sczRldmVyLmxvY2FsDBZOT0JJTElUWVxBZG1pbmlzdHJh

dG9yDAdjZXJ0cmVxMIH9BgorBgEEAYI3DQICMYHuMIHrAgEBHloATQBpAGMAcgBv

AHMAbwBmAHQAIABSAFMAQQAgAFMAQwBoAGEAbgBuAGUAbAAgAEMAcgB5AHAAdABv

AGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHIDgYkAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADANBgkqhkiG9w0BAQUFAAOCAQEA

nTAOKjTTbz/ABAHCZRNmn/SSj5w7DoMBUP07I8QQMf4ruI0ClEuX5jhlm+jwnypY

pDNHnn2uRI08hN5jwOcc/36DGNaSgu9cOg3s/FCHnDkhMotqST4UgjH8bVBXfTrP

ryAswB4CtFDPK4Po9+Fz/TeNb1rD4yC0hvYL2m+Gwyl9rupfj9eyy7VaFZDeHltR

2DkGjF7fOiwjZgXi7jy4w0GtC53hWYWxfTaRTPjKuoGFIwDcUHNucdSEQ216xTg7

yLgyyQv8imBI98dr+XXVJeAQk/ByD8uCU0DWM2M64i2ccw8QhlyOPyj36914K2zd

WJSRbwjM1KpvtyFrzwCGJg==

-----END NEW CERTIFICATE REQUEST-----

Creating a Certification Authority

Log on to computer that runs Certification Authority

In this example, Certification Authority is installed on another domain controller running Windows 2003. For other configurations, you are referred to Microsoft documentation for more information on how to setup a Certification Authority.

Log on to the computer with enterprise administrator access rights. Select Start, Control Panel, Add or Remove programs. Click the button Add/Remove windows components. Select entry Certificate Services

Figure 45: Installation of Certificates Services on a Windows 2003 domain controller.

Click Next. When asked, select the option to create a Stand-alone root CA.

Figure 46: Selection of Certification Authority: Stand-alone root CA.

Follow the wizard instructions and specify the name of the Certification Authority.

Figure 47: Specification of the Certification Authority identification information.

Follow the instructions of the wizard. When finished, the certification authority is installed.

Sign the certificate request by the Certification Authority

In this step, the Certification Authority converts the certificate request to a real certificate by signing/issuing the request.

Click Start, All Programs, Administrative Tools, Certification Authority. The MMC shows the Certification Authority snap-in. Select the Certification Authority and select menu option All tasks, Submit new request.

Browse to the file that contains the certificate request ldapcert.req and submit the request. If the computer that runs the LDAP Server and the computer that runs the Certification Authority are not connected, you need to use a diskette or memory stick to access the file.

The request is now processed by the Certification Authority. When ready the request can be selected from the section with Pending Requests.

Figure 48: Issue the submitted certification request.

Select menu option Issue to accept the request. The certificate is then stored in the section Issued Certificates. Select the certificate from the section Issued Certificates and select menu option Open.

Figure 49: Result certificate, issued by the Certification Authority.

Click on the Details tab and select the button Copy to File to export the certificate to a file. Follow the wizard instructions. When asked, select the format Base-64 encoded binary X.509 (.CER). For the name of the file, select ldapcert.cer. Complete the wizard.

Before the certificate can be installed on the domain controller, the root certificate of the Certification Authority must be installed on the domain controller.

Exporting the root certificate Certification Authority

To export the root certificate, select Certification Authority and select menu option Properties.

Figure 50: Export the root certificate of the Certification Authority.

Click View Certificate, select Details and click on the button Copy to File to export the root certificate of the Certification Authority. For the name of the file, enter LdapRootCA.cer.

Importing the root certificate Certification Authority

Log on to domain controller

On the domain controller that runs Active Directory, you need to install both the root certificate of the Certification Authority and the created certificate.

Log on to the domain controller as an enterprise administrator and start the MMC. (Start, Run, mmc). Add the Certificates snap-in (File, Add/Remove snap-in, click Add and select Certificates). Select the option to manage certificates for the Computer account of the Local Computer.

Navigate to the certificates item Trusted Root Certification Authorities, Certificates and select menu option All Tasks, Import.

Figure 51: Import the root certificate of the Certification Authority on the Active Directory domain controller.

Follow the wizard instructions and import the root certification file LdapRootCA.cer.

When finished, the root certificate of the Certification Authority is installed on the domain controller.

Importing the LDAP Server certificate

Finally, on the domain controller that runs Active Directory, you need to accept the certificate signed by the Certification Authority. From a command prompt, navigate to the directory that contains the certificate ldapcert.cer and issue the following command:

certreq -accept ldapcer.cer

The certificate is now installed. To verify the certificate installation, start the MMC and open the snap-in that manages the certificates on the local computer. In the tree, browse to the location Certificates (Local Computer), Personal, Certificates. A certificate issued to the domain controller should exist.

Figure 52: Verification of the purpose of the certificate.

Select the certificate and choose menu option Properties. The Certificate purposes should show Server Authentication.

To finish the configuration on the domain controller, restart the domain controller.

Setting up the UMRA (LDAP Client) computer

The computer that runs the UMRA software needs to have the root certificate of the Certification Authority installed. To do so, repeat the steps of topic Import root certificate Certification Authority, but this time, import the certificate on the computer that runs the UMRA software.

Verifying secure LDAPS using SSL

The secure LDAP connection can be tested with UMRA or with the Active Directory Administration Tool LDP.EXE, part of the Windows Support Tools. (Windows 2003 only)

Start the tools LDP.EXE from a command prompt in the Windows Support Tools. Select menu option Connection, connect.

Figure 53: Test the LDAP SSL connection using LDP.EXE from the Windows Support Tools.

Specify the name of the LDAP Server, the default SSL port 636 and check the option SSL.

Press OK. When the connection is setup successfully, the window shows the connection information.

Figure 54: Connection information when a successful connection is established.

See Also

Introduction

Creating user accounts in Microsoft Active Directory using LDAP

Searching accounts and resetting passwords in Microsoft Active Directory using LDAP

Updating group memberships in Microsoft Active Directory using LDAP