How to Enable LDAPS in Active Directory
By default, Windows Active Directory servers are unsecured. All LDAP messages are unencrypted and sent in clear text. This restricts what developers can and can't do via LDAP. For example, password modification operations must be performed over a secure channel, such as SSL, TLS or Kerberos.
To enable LDAP over SSL (LDAPS) all you need to do is "install" an SSL certificate on the Active Directory server. Most enterprises will opt to purchase an SSL certificate from a 3rd Party like Verisign. In my case, I created my own certificate using OpenSSL. Here are the steps I used to secure my Active Directory server using a self signed certificate.
Pre-RequisitesOK< before we begin, here are a couple things you need. First of all you will need administrative access to the Active Directory server (i.e. Domain Controller). You obviously need the domain name and the fully qualified name (FQDN) of the Active Directory server. In this tutorial we use the following:
Step 1: Create a Certificate Authority (CA)
If you are creating your own certificate, you need to first create a Certificate Authority (CA). Fortunately, tools like OpenSSL makes this easy.
Creating a CA certificate with OpenSSL is a 2 step process. First, you must create a keystore which is used to store your password.
openssl genrsa -des3 -out ca.key 4096Next, you will generate a CA certificate. In this example, we will create a CA Certificate that is valid for 10 years:
openssl req -new -x509 -days 3650 -key ca.key -out ca.crtWhen generating the CA certificate, OpenSSL will prompt you for several key pieces of information. Note that the "Common Name" is our domain name:
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) :New York Organization Name (eg, company) [Internet Widgits Pty Ltd]:ACME Organizational Unit Name (eg, section) :IT Common Name (e.g. server FQDN or YOUR name) :acme.com Email Address :firstname.lastname@example.org
Step 2: Install the Certificate Authority (CA)To install the certificate authority (CA) on the domain controller, open the "Certificates snap-in":
Step 3: Create a Certificate Signing Request (CSR)
Next, we have to create a Certificate Signing Request (CSR). There are a number of different tools out there, including OpenSSL that you can use. However, the preferred approach is to use Microsoft's certreq utility.
The certreq utility is a command line application that takes a *.inf file and generates a CSR. Here's an example of an inf file that I used. Pay close attention to the "Subject" line. It should contain the FQDN of the Active Directory server.
;----------------- request.inf ----------------- [Version] Signature="$Windows NT$" [NewRequest] Subject = "CN=dc1.acme.com,OU=IT,DC=dc1,DC=acme,DC=com,O=ACME,L=New York,S=New York,C=US" ; KeySpec = 1 KeyLength = 1024 Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=220.127.116.11.18.104.22.168.1 ; this is for Server Authentication
Once you have a inf file, generate a Certificate Signing Request (CSR) using certreq. In this example, "acme.csr" is the CSR.
certreq -new request.inf acme.csr
Step 4: Sign the Certificate
After generating the Certificate Signing Request (CSR), you are ready to create a certificate. If you are purchasing an SSL certificate, send the CSR to your vendor (e.g. Verisign) and they will generate and sign the certificate for you. If you have already purchased an SSL certificate, you can skip this step.
To sign your own certificate using OpenSSL, simply enter the following:
openssl x509 -req -days 3650 -in acme.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out acme.crt
Step 5: Accept the Certificate
After you get your signed certificate, you will need to "Accept" it using the certreq utility:
certreq -accept acme.crt
Step 6: Install the CertificateIn Step 2, we opened the "Certificates snap-in". Assuming it is still open, expand the "Certificates" node under "Personal". Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the "acme.crt".
Step 7: Restart Active DirectoryAfter installing the certificate, you must restart the domain controller. You can use Microsoft's Ldp GUI tool to test the LDAPS connection. The default port is 389 and the SSL port is 636.