Use LDAPS with ADAM
Summarize
Summary of Use LDAPS with ADAM
The default setup for userProxy object authentication in ADAM enforces LDAPS (secure LDAP) communications, requiring SSL certificates to secure network traffic. This document guides you through managing LDAPS settings and generating self-signed certificates for secure communication.
Show less
Key Features
- LDAPS Configuration: To disable the LDAPS requirement, modify the msDS-Other-Settings attribute in the ADSIEdit console. Change RequiresSecureProxyBind from 1 (enforced) to 0 (disabled) and restart the ADAM service.
- SSL Certificates: To ensure secure binds and encrypt user credentials, an SSL certificate must be installed on the server and any LDAP client. Self-signed certificates are a cost-effective option.
- Self-Signed Certificate Creation: Use the selfssl utility to generate a self-signed certificate after installing Internet Information Services (IIS). The utility can be removed post-generation.
Key Outcomes
Upon following the outlined processes, you will enable secure communications for ADAM while efficiently managing your SSL certificate requirements. Remember to create a self-signed certificate with proper parameters and ensure the common name matches your server's fully qualified domain name. Keep track of the certificate's expiration date and renew it as needed to maintain secure operations.
The default configuration for userProxy object authentication is to enforce LDAPS (secure LDAP) communications. LDAPS requires SSL certificates to secure the network traffic.
Object: CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration
Attribute: msDS-Other-Setings
Value: change RequiresSecureProxyBind from 1 (enforced) to 0 (disabled)Restart the ADAM service to use the new setting.
To support secure binds and encrypt the user and password information being transmitted, a SSL certificate must be installed on the server and any LDAP client. Since there is limited and controlled uses to the ADAM service, it is feasible to use a self-signed certificate which would meet the needs without incurring certificate costs or building a Certificate Authority (CA) infrastructure. If you already have a CA, you can issue a certificate. Otherwise, create a self-signed certificate.
Creating a Self-Signed Certificate
To use the selfssl utility, Internet Information Services (IIS) must be installed. This service can be removed after you generate the certificate. You can get the selfssl.exe utility from the IIS Resource Kit. If IIS is already installed, create a new website so that the current sites will not be impacted during the certificate generation. Selfssl needs to temporarily attach the new self-issued certificate to a valid web site.
Selfssl is a command-line tool and has the following common parameters.
| Parameter | Description |
|---|---|
| /T | Adds the cert to ‘Trusted Certificates’ on the local machine |
| /N:cn | Set the common name of the certificate. This must match the fully qualified domain name of the server running the web service using the certificate |
| /K | Sets the strength of the key size in bits |
| /V | Number of days the cert is valid |
| /S | Web site ID to attach the certificate to |
| /P | IP port of the web service |
selfssl /N:CN=myCompany.externaldomain.com /K:1024 /V:3650 /S:12345 /P:50001 /TThis statement creates a certificate that is valid for 10 years. Set the value to any duration, but be aware the new certificate must be generated and submitted to the instance before the old one expires. We recommend making a note of the expiration date on the certificate.
Once the certificate is generated you can remove it from the website, or delete the entire web site if you created a temporary site.