Hello,
I want to start this off by saying I realize this may not be the best place for this type of question. I just happen to think very highly of you folks and I'd imagine at least a handful of you guys had to do this at some point so I'm looking for any guidance. I've posted my question over at technet as well to see if anyone over there can be of any assistance (I think I'll have better luck here based on past experience). Anyway...
I am currently working to set up my Ubuntu 12.04 server so that it can authenticate users off of Active Directory using nss_ldap and pam_ldap. I had no problem setting this connection up for insecure LDAP on port 389. Obviously, I want to make this connection work over LDAPS on port 636. I am, however, not having any luck setting this up. I keep getting this error when I perform an ldapsearch:
Code:
# ldapsearch -v -H ldaps://ldapserver.example.com:636 -x -D "CN=svcAcct,DC=example,DC=com" -W -b "dc=example,dc=com" -P 3 "(cn=userName)" -d 1
ldap_url_parse_ext(ldaps://ldapserver.example.com:636)
ldap_initialize( ldaps://ldapserver.example.com:636/??base )
ldap_create
ldap_url_parse_ext(ldaps://ldapserver.example.com:636/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldapserver.example.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 1.2.3.4:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Here's my ldap.conf:
Code:
base dc=example,dc=com
uri ldaps://ldapserver.example.com/
ldap_version 3
binddn CN=svcAcct,DC=example,DC=com
bindpw Password
pam_filter objectclass=posixAccount
pam_password md5
nss_map_attribute homeDirectory unixHomeDirectory
TLS_CACERT /etc/ssl/certs/joinedca.pem
The file /etc/ssl/certs/joinedca.pem contains cacert.pem as well as the certs I grabbed via these instructions:
http://blogs.msdn.com/b/alextch/arch...directory.aspx
In order to try and test the certs, I decided to write up a quick PERL script to see if I can connect:
Code:
#!/usr/bin/perl -w
use strict;
use warnings;
use Net::LDAPS;
use Data::Dumper;
my $targetHost = 'ldapserver.example.com';
my $targetAccountDN = "CN=svcAcct,DC=example,DC=com";
my $targetAccountPassword = 'Password';
print "Connecting and Binding to $targetHost...";
my $targetLdap = Net::LDAPS->new($targetHost, port => '636', verify => 'require', cafile => '/etc/ssl/certs/joinedca.pem') or die "targetLdap error : [$@]";
my $msg = $targetLdap->bind($targetAccountDN, password => $targetAccountPassword, version => 3);
$msg = $targetLdap->search(
base => 'DC=example,DC=com',
filter => "(&(objectClass=OrganizationalPerson)(cn=userName))"
);
And that works without a problem. It binds, and searches for userName without a hitch. Anyone have any ideas as to what I'm messing up here? Let me know if more info is needed. Thanks!
