An SSL connection to Active Directory is required in order to update a user’s password using LDAP. This article describes how to configure and test 389 Directory Server to synchronize with an Active Directory Server via an SSL LDAP connection.

Configuring SSL Connection

Certificate Authority1. Make sure SSL is enabled in Active Directory. Learn how to enable LDAP SSL in Active Directory.
389 Directory Manage Certificates3. Make sure SSL is enabled in 389 Directory Server. Learn how to enable LDAP SSL in 389 Directory Server.

Testing SSL Connection

ldapsearch1. Type the command below to test if you can do a plain LDAP connection to your Active Directory server. You’ll be asked for the password of the user account you specified in the -D option.
/usr/lib/mozldap/ldapsearch -b "dc=acme,dc=local" 
-h server.acme.local -R 
-D "cn=fds,cn=users,dc=acme,dc=local" 
-w - "objectclass=*"

Replace the value after -b with your search base, the value after -h with your server hostname and the value after -D with the distinguished name of a user account having read/write access to your Active Directory server.

ldapsearch SSL2. Type the command below to test if you can do an SSL enabled LDAP connection to your Active Directory server.
/usr/lib/mozldap/ldapsearch -b "dc=acme,dc=local" 
-h server.acme.local -R 
-D "cn=fds,cn=users,dc=acme,dc=local" 
-w - -Z -P /etc/dirsrv/slapd-mail "objectclass=*"

Replace the value after -P with the settings path of your 389 Directory server.

If the two test above succeeds, you can use SSL connection to synchronize with Active Directory.

Troubleshooting

If the output from the test above contains

  • Invalid credentials

    Check the distinguished name of the user account after the -D option and the bind password for it. To check the distinguished name, type the command below.

    /usr/lib/mozldap/ldapsearch -b "dc=acme,dc=local" -h server 
    -R -D "ACME\fds" -w - "samaccountname=fds" DN
    

    Replace the value ACME with your own domain and fds with your own user name. It will output the distinguished name of the user name you specified.

  • Invalid function argument

    The host name you specified after -h is invalid or non-existent .

  • TCP connection reset by peer

    Check the host name you specified after -h is correct, the port is open, and SSL is configured properly.

  • security library: bad database

    Make sure SSL is enabled in 389 Directory Server. And check the path you specified after -P.

  • Encountered end of file

    After configuring SSL in Active Directory, you probably did not reboot your Active Directory server. Reboot your AD server to complete the changes and try the test again.

  • Peer’s Certificate issuer is not recognized

    Check if you have installed the certificate from Active Directory.

  • Peer’s Certificate has expired

    Make sure the system clock is synchronized in the Linux server and the Active Directory server. And the check the certificate, it may indeed be expired.

  • Peer’s certificate issuer has been marked as not trusted by the user

    Check the trust setting you specified in the certificate of the 389 Directory server. Making connections to other servers should be checked.

Visit the forum to ask for help or to give a comment.

***
Posted on 11/1/2009 and last updated on 4/23/2011
Filed under 389 Directory Server , Active Directory , LDAP , SSL/TLS