Unable to establish LDAPS connection

RomeoS · 26 Apr 2009 at 15:56

Hullo everyone,

I've been trying to set up LDAPS over SSL on a AD Server with little luck. I am hoping someone with a bit of knowledge can lend a hand.

Here are the steps I have taken:

1. Followed the article here to create/import certificates: http://support.microsoft.com/default.aspx?scid=kb;en-us;321051
I used CACert.org to verify domain ownership + create a Server Authentication Certificate and installed as directed above.

2. Used Port Query to confirm the AD server is listening on port 636: http://technet.microsoft.com/en-gb/library/bb877965.aspx

=============================================

Starting portqry.exe -n AD-SERVER -e 636 -p BOTH ...

Querying target system called:

AD-SERVER

Attempting to resolve name to IP address...

Name resolved to IP_ADDRESS

querying...

TCP port 636 (ldaps service): LISTENING

3. Used ldp.exe to confirm a member client/server can establish a ldap connection to the server on port 389 (default) with no SSL. If I enable SSL, the client/server is unable to establsh a connection as expected. I then switch the port to 636 (LDAPS) and I get as far as this:

ld = ldap_open("AD-SERVER", 636);
Error <0x51>: Fail to connect to AD-SERVER.

and with SSL checked:

ld = ldap_sslinit("AD-SERVER", 636, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to AD-SERVER.

I have checked event log for anything suspicious but there are no errors of any kind. I have disabled the servers firewall whilst testing but I am still unable to establish any connection via LDAPS

Anyone able to shed some light on this?

EDIT
I am able to establish a local LDAPS connection (Port 636 + SSL checked) by using ldp.exe on the AD-SERVER machine but not from any client/server domain member.

iaind · 26 Apr 2009 at 17:52

Where was the certificate issued from? Have you tried installing it on the client?

RomeoS · 26 Apr 2009 at 19:40

Certificate is issued from CACert.org and I have installed their Root CA in the AD-SERVER's trusted root certificates folder.

I have installed it on the client but it makes no difference, they cant make a connection.

iaind · 27 Apr 2009 at 13:22

Are you using the FQDN or the netbios name to connect?

Skidilliplop · 27 Apr 2009 at 16:23

For LDAP stuff it's usually best practice to use the FQDN. Try it again with AD-SERVER.domain.local and see how that works.

iaind · 27 Apr 2009 at 16:28

Its not just best practice, its a requirement for anything involving certs

Also, if you havent set the certification policy to auto issue then you'll need to request a cert for the client from the CA manually

Skidilliplop · 27 Apr 2009 at 16:40

iaind said:
Its not just best practice, its a requirement for anything involving certs

Also, if you havent set the certification policy to auto issue then you'll need to request a cert for the client from the CA manually

I meant using LDAP in general, inlcuding programming it's much faster and more efficient to use FQDNs. Though obviously some things require it to work.

RomeoS · 27 Apr 2009 at 17:18

Hi Guys,

Thanks for the replies. The certificate is using the FQDN of the server. I tried to make the connection with the FQDN and got the following output:

ld = ldap_sslinit("AD-SERVER.DOMAIN.NET", 636, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to AD-SERVER.DOMAIN.NET.

The certificate policy is set to auto-issue if I remember correctly.