TestimonialWe have used UMRA for major account creations in the last year. Not only has it helped us in the account creation, but also in the mass modifying of numerous accounts. Its seamless interaction with Active Directory and Exchange has been very helpful.Micah Hildreth SkyWest Airlineshttp://www.skywest.com/  We help you!Want to know more? A price quote or online demo? Call us +852 - 2512 8491 sales@logon-int.com Give me an online demoTestimonialThe UMRA product works exactly as advertised by providing the means to automatically maintain our companies AD. Tools4Ever does this by providing an easy to use/easy to learn product. Its simply the best product at the best price. Michael HamlettGolden Corral Read more... |
Secure Linux OpenLDAP environmentTo setup a secure Linux OpenLDAP environment, SSL certificates must be installed on the LDAP Server (Linux OpenLDAP) and the LDAP Client (UMRA software). The OpenLDAP configuration file slapd.conf must be updated with the SSL configuration settings. The following parameters must be specified:
Regarding the certificate, two file names are specified, one for the certificate itself and one for the associated private key. To generate these files, the following procedure can be used. The certificates are first generated on the Linux computer using the CA.pl script, part of the OpenSSL installation. t4elnx:/ldap-ssl# /usr/lib/ssl/misc/CA.pl -newcert Generating a 1024 bit RSA private key .............++++++ ......................++++++ writing new private key to 'newreq.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:nl State or Province Name (full name) [Some-State]:utrecht Locality Name (eg, city) []:baarn Organization Name (eg, company) [Internet Widgits Pty Ltd]:tools4ever Organizational Unit Name (eg, section) []:development Common Name (eg, YOUR name) []:t4elnx.tools4ever.local2 Email Address []: Certificate (and private key) is in newreq.pem The above listing shows how to create the certificate with the command CA.pl -newcert The certificate is self signed and no Certification Authority is required. The contents specified for the fields does not really matter, except for the following fields: Common Name: Specify the dns name of the computer that runs the Linux OpenLDAP. Email Address: Leave this field blank. When ready, the file newreq.pem contains both the private key and the certificate. The private key is password protected. The total file looks like this: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,D704DED67B9622AB 1aUi3gvkxF+kfnpuc0BH7lTU+du4TgoPu/QDMGVUnhuEBN3EXu+m0bIfEWrljqzw fujUUNIemHGO3fKbUaJa7Q5EhWAMWLv7nE/U+ud4Smul6zjXj0Snv6aM6jOvAH/9 MHRFO8jB0O1zfmzA6h6wq0v+0GknS1sSH+bLlm1Hb9wlGilRZTopPZUfd1FhTdOF odNWfhVIL2CoIlnT/+0qHKl1YqF5PCdkKxGLbMC9IM30mZuOZSbDeDQMiOtRPQnD WMgJuWChtHWTcVfriRbEPEimPQ7zOhq5PFsSZXwB8TjXCL8m42knL9h/csBZLjWl Eq4fgCy4odSoQA6bVsRdXHMWYzKLTArUKXkh9yCKimx2EeDVWgl80hm3htus5VrR VCbflBmuA3gghgEFjsrYps5jSsYCIVbesOelyT/K6uafKnax1JsfdKfYKzbMwfOa Qcq13Mv1EFMlyFROUMMvFiVMjUQnfsaDCMglJxj+XuDFmOWHUUG6CJp0f+XH2Sbg xuACcyMomKlWHzBIGCk6W0p5Xeavnboj8ZiYPcAvQ0vUEGt5owXwJVbyblafuRdp JoHOpyin+q+2pK4oZpfZO0yuTfFP+sLF6iIuG77b5QRZS2kLy6mK+8R0qfVjI7Uv VAItadLhyKKAzeTQLOgoArmNe6iAXiJ03cJnVR+qkoW6bmBSuz7fhYD2k8Xyh/hk 9Uh35ALf+GSZ8c5kYVGgLcrr0d7m82bKfGP2fmx3CxWL7wIwSAMP8ZZxNof3vJAf crr96ju7/0MMjVskyh6XeIXClDUzbWke+9MVwGsUGnTaxoCN/s1kag== -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDXDCCAsWgAwIBAgIJALbVQcGOAzn4MA0GCSqGSIb3DQEBBAUAMH0xCzAJBgNV BAYTAm5sMRAwDgYDVQQIEwd1dHJlY2h0MQ4wDAYDVQQHEwViYWFybjETMBEGA1UE ChMKdG9vbHM0ZXZlcjEUMBIGA1UECxMLZGV2ZWxvcG1lbnQxITAfBgNVBAMTGHQ0 ZWxueC50b29sczRldmVyLmxvY2FsMjAeFw0wNTEyMDIxMTA4NTRaFw0wNjEyMDIx MTA4NTRaMH0xCzAJBgNVBAYTAm5sMRAwDgYDVQQIEwd1dHJlY2h0MQ4wDAYDVQQH EwViYWFybjETMBEGA1UEChMKdG9vbHM0ZXZlcjEUMBIGA1UECxMLZGV2ZWxvcG1l bnQxITAfBgNVBAMTGHQ0ZWxueC50b29sczRldmVyLmxvY2FsMjCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAq6flBA9IsTX3dUwN5pNIGM3RTE4Ctnc5HgyLmoNM LyDLrNLIijSlf717aNCae1RzpLZnezHiug7dRZKIcqBjGp1wmTohoIbSiHJSOdKp B5YK4nT2oRyrGnFM/XtftagosOQnWOYCEk3iA5Iyk28i4wMZpl6Ad//oZEDBg47C WHMCAwEAAaOB4zCB4DAdBgNVHQ4EFgQUOYKI1q4QzlHlLBVLWpCikwIvhWAwgbAG A1UdIwSBqDCBpYAUOYKI1q4QzlHlLBVLWpCikwIvhWChgYGkfzB9MQswCQYDVQQG EwJubDEQMA4GA1UECBMHdXRyZWNodDEOMAwGA1UEBxMFYmFhcm4xEzARBgNVBAoT CnRvb2xzNGV2ZXIxFDASBgNVBAsTC2RldmVsb3BtZW50MSEwHwYDVQQDExh0NGVs bngudG9vbHM0ZXZlci5sb2NhbDKCCQC21UHBjgM5+DAMBgNVHRMEBTADAQH/MA0G CSqGSIb3DQEBBAUAA4GBAGqhYqMj6p1h6zoF/uTlXUho9alKYeFmggwr7mm4PXJV 4KDYWD/XPNIHEJxOj0Y9zOJmsTIN+/pYBLm6xYri5Lbm9NWS3AmM0Gpn63LDb8MB O1CqEFOMWOt4GSBHGkkJF/9WOkQHCfunS3t7bYQyhcM1QdfsWl52Z77FAcYjrGHe -----END CERTIFICATE----- To remove the password protection from the private key and to export the private key that is used by the LDAP Server, enter the following command: openssl rsa -in newreq.pem slapd-key.pem On output, the file slapd-key.pem contains the private key with no password protection.
In a real environment, this file should be highly protected since it contains the main secret: the private key (You should never publish the contents of this file in a document). From the other file, newreq.pem, you need to create a file that contains the certificate only. In this example description, the certificate from the file is stored in a new file slapd-cert.pem. This file should contains something like this: -----BEGIN CERTIFICATE----- MIIDXDCCAsWgAwIBAgIJALbVQcGOAzn4MA0GCSqGSIb3DQEBBAUAMH0xCzAJBgNV BAYTAm5sMRAwDgYDVQQIEwd1dHJlY2h0MQ4wDAYDVQQHEwViYWFybjETMBEGA1UE ChMKdG9vbHM0ZXZlcjEUMBIGA1UECxMLZGV2ZWxvcG1lbnQxITAfBgNVBAMTGHQ0 ZWxueC50b29sczRldmVyLmxvY2FsMjAeFw0wNTEyMDIxMTA4NTRaFw0wNjEyMDIx MTA4NTRaMH0xCzAJBgNVBAYTAm5sMRAwDgYDVQQIEwd1dHJlY2h0MQ4wDAYDVQQH EwViYWFybjETMBEGA1UEChMKdG9vbHM0ZXZlcjEUMBIGA1UECxMLZGV2ZWxvcG1l bnQxITAfBgNVBAMTGHQ0ZWxueC50b29sczRldmVyLmxvY2FsMjCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAq6flBA9IsTX3dUwN5pNIGM3RTE4Ctnc5HgyLmoNM LyDLrNLIijSlf717aNCae1RzpLZnezHiug7dRZKIcqBjGp1wmTohoIbSiHJSOdKp B5YK4nT2oRyrGnFM/XtftagosOQnWOYCEk3iA5Iyk28i4wMZpl6Ad//oZEDBg47C WHMCAwEAAaOB4zCB4DAdBgNVHQ4EFgQUOYKI1q4QzlHlLBVLWpCikwIvhWAwgbAG A1UdIwSBqDCBpYAUOYKI1q4QzlHlLBVLWpCikwIvhWChgYGkfzB9MQswCQYDVQQG EwJubDEQMA4GA1UECBMHdXRyZWNodDEOMAwGA1UEBxMFYmFhcm4xEzARBgNVBAoT CnRvb2xzNGV2ZXIxFDASBgNVBAsTC2RldmVsb3BtZW50MSEwHwYDVQQDExh0NGVs bngudG9vbHM0ZXZlci5sb2NhbDKCCQC21UHBjgM5+DAMBgNVHRMEBTADAQH/MA0G CSqGSIb3DQEBBAUAA4GBAGqhYqMj6p1h6zoF/uTlXUho9alKYeFmggwr7mm4PXJV 4KDYWD/XPNIHEJxOj0Y9zOJmsTIN+/pYBLm6xYri5Lbm9NWS3AmM0Gpn63LDb8MB O1CqEFOMWOt4GSBHGkkJF/9WOkQHCfunS3t7bYQyhcM1QdfsWl52Z77FAcYjrGHe -----END CERTIFICATE----- Now, update OpenLDAP configuration file, so that it contains the following lines to enable SSL: TLSCipherSuite HIGH:MEDIUM TLSCertificateFile /ldap-ssl/slapd-cert.pem TLSCertificateKeyFile /ldap-ssl/slapd-key.pem The file names should point to the locations of the files with the certificate and the associated private key. Finally, restart the LDAP Server: /etc/init.d/slapd restart The LDAP Server is now able to communicate using SSL. Now, the certificate must be imported on the computer that runs the UMRA software: Copy the file slapd-cert.pem to the computer that runs the UMRA software and follow the instructions as described in section: Import the certificate on the UMRA computer on page 1. When ready, the test with LDP.EXE, part of the Windows Support Tools, should show a result as in the following figure:
By default, you can then bind with the admin account: cn=admin,dc=tools4ever,dc=local2 to authenticate the user account. |
