Re: TLS with Active Directory

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Tuesday, March 23, 2004 10:17 AM +1100 Matthew Smith <mps@getbusi.com> 
wrote:

> I am trying to access active directory and modify entries with open-ldap,
> but  am having no luck. I've looked at the archives, and can see that
> people have  done this in the past.
>
> I can connect to the AD on port 389, and I can see the entries correctly,
> but  when I try to connect on port 636, I am denied. I need the secure
> connection  to get AD to allow me to add users, and change passwords.
>
> My active directory server is a windows 2000 server machine with all the
> latest updates installed. I have installed a certificate authority on the
> server, so it can serve certificates to the domain, but this has drawn a
> blank as well (open ldap won't connect and openssl s_client says the
> certificate is not trusted)
>
> Can anyone point me to a step by step guide to setting up AD correctly or
> can  guide me through this?

It sounds more like you haven't told OpenLDAP to trust the AD server's CA. 
You might want to look at 'man ldap.conf' and pay particular attention to 
the TLS_CACERT directive.

You can also give a -d -1 option to the OpenLDAP binary you are using to 
connect to AD with to see what it says.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html