Configuring SSL Connection

1. Make sure SSL is enabled in Active Directory. Learn how to enable LDAP SSL in Active Directory.

2. Export a base-64 encoded SSL certificate from your Active Directory Server.

3. Make sure SSL is enabled in 389 Directory Server. Learn how to enable LDAP SSL in 389 Directory Server.

4. Install the exported SSL certificate into 389 Directory Server.

Testing SSL Connection

1. Type the command below to test if you can do a plain LDAP connection to your Active Directory server. You’ll be asked for the password of the user account you specified in the -D option.

/usr/lib/mozldap/ldapsearch -b "dc=acme,dc=local" 
-h server.acme.local -R 
-D "cn=fds,cn=users,dc=acme,dc=local" 
-w - "objectclass=*"

Replace the value after -b with your search base, the value after -h with your server hostname and the value after -D with the distinguished name of a user account having read/write access to your Active Directory server.

2. Type the command below to test if you can do an SSL enabled LDAP connection to your Active Directory server.

/usr/lib/mozldap/ldapsearch -b "dc=acme,dc=local" 
-h server.acme.local -R 
-D "cn=fds,cn=users,dc=acme,dc=local" 
-w - -Z -P /etc/dirsrv/slapd-mail "objectclass=*"

Replace the value after -P with the settings path of your 389 Directory server.

If the two test above succeeds, you can use SSL connection to synchronize with Active Directory.

Troubleshooting

If the output from the test above contains

• Invalid credentials
  

  Check the distinguished name of the user account after the -D option and the bind password for it. To check the distinguished name, type the command below.

  /usr/lib/mozldap/ldapsearch -b "dc=acme,dc=local" -h server 
  -R -D "ACME\fds" -w - "samaccountname=fds" DN
  

  Replace the value ACME with your own domain and fds with your own user name. It will output the distinguished name of the user name you specified.

• TCP connection reset by peer
  

  Check the host name you specified after -h. If the host name is correct, check the firewall.

• security library: bad database
  

  Make sure SSL is enabled in 389 Directory Server. And check the path you specified after -P.

• Encountered end of file
  

  After configuring SSL in Active Directory, you probably did not reboot your Active Directory server. Reboot your AD server to complete the changes and try the test again.

• Peer’s Certificate has expired
  

  Make sure the system clock is synchronized in the Linux server and the Active Directory server. And the check the certificate, it may indeed be expired.

• Peer’s certificate issuer has been marked as not trusted by the user
  

  Check the trust setting you specified in the certificate of the 389 Directory server. Making connections to other servers should be checked.

Generate a Private Key

Make sure you are logged in as the root user when doing steps below.

1. Generate a pass phrase protected private key using the command below. Provide a pass phrase when asked.

openssl genrsa -des3 -out localhost.key 1024

2. Remove the pass phrase protection using the command below. Provide the pass phrase when asked.

openssl rsa -in localhost.key -out localhost.key

3. Type in the command below to ensure that the private key will be readable by the root user only.

chmod 400 localhost.key

Generate a Certificate

1. Generate a certificate signing request by typing in the command below and filling in your host information.

openssl req -new -key localhost.key -out localhost.csr

Signing options

• For a publicly accessible site, have it signed by a reputable third party like Verisign
• For Active Directory intranets, you can sign it using the Microsoft Certificate Services. Learn how to submit a certificate request to the Microsoft Certificate Services.
• For intranets or testing sites, you can sign it yourself.

To self sign your certificate request, type in the command below.

openssl x509 -req -days 365 -in localhost.csr
 -signkey localhost.key -out localhost.crt

Configuring Apache for SSL

1. Move the file localhost.key into /etc/pki/tls/private/

mv localhost.key /etc/pki/tls/private/

2. Place the certificate file into /etc/pki/tls/certs/ and name the file as localhost.crt. The command below applies to self-signed certificate only.

mv localhost.crt /etc/pki/tls/certs/

3. Edit the file /etc/httpd/conf.d/ssl.conf and edit the lines below.

DocumentRoot = /usr/share/squirrelmail
ServerName = mail.acme.local:443

Replace mail.acme.local with your server name.

4. Restart the httpd service. Learn how to restart services here.

5. Try accessing SquirrelMail using https instead of http.

You can force browsers to always use the SSL version. See Relocating SquirrelMail into the domain root.

To issue a certificate for a web server, make sure you have all of the items below.

• Domain administrator account
• Internet Explorer
• Windows server installed with Microsoft Certificate Services. Learn how to install Microsoft Certificate Services in Windows 2003 Server.

1. Launch Internet Explorer and connect to your Certificate Services server. The URL is http://server/certsrv, replace server with the name of your server. Next, click Request a certificate.

2. In the Request a Certificate page, click submit an advanced certificate request.

3. In the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file or submit a renewal request by using a base-64-encoded PKCS#7 file.

4. In the Submit a Certificate Request or Renewal Request page, paste the content of the request file into the Base-64-encoded certificate request box. Select Web Server in the Certificate Template and click Submit.

5. In the Certificate Issued page, select Base 64 encoded and click Download certificate.

This article will show you how to export an SSL certificate from an SSL enabled Windows Server 2003 to use the LDAP API over SSL. If you have not yet configured SSL, see Enable LDAP SSL with Active Directory.

1. Click Start, select Administrative Tools and click Certification Authority. This will launch the Certification Authority application.

2. Select a certification authority, press right click and click Properties.

3. In the Properties window, click the View Certificate button.

4. In the Certificate window, click the Details tab and click the Copy to File button.

5. Click Next in the Certificate Export Wizard window.

6. Select Base-64 encoded X.509 and click Next.

7. Specify the path and file name of the certificate and click Next.

8. Finally, click Finish to export the certificate.

This article will show you how to install the Certificate Services in Windows 2003 to enable LDAP SSL in Active Directory.

Before beginning, make sure the Internet Information Server (IIS) is installed in your server.

Installing the Certificate Services

1. Click Start, select Control Panel and click Add or Remove Programs.

2. In the Add or Remove Programs window, click Add/Remove Windows Components, check the Certificate Services and click Next.

3. Click Next in the CA Type page.

4. Fill up the Common name for this CA and click Next.

5. Click Next in the Certificate Database Settings page.

6. The Certificate Services will now be installed.

7. Click Finish and restart your server.

Configuring Automatic Certificate Request for Domain Controllers

1. Click Start, select Administrative Tools and click Domain Controller Security Policy.

2. In the Default Domain Controller Security Settings window, click the Public Key Policies folder.

3. Right click Automatic Certificate Request Settings, select New and click Automatic Certificate Request.

4. Click Next in the Automatic Certificate Request Setup Wizard.

5. Select Domain Controller in the Certificate Template page and click Next.

6. Click Finish and reboot your server.

7. Check if automatic certificate request worked by using the Certificate Authority app located in Start > Administrative Tools. Check the Issued Certificates folder if your server is there.

Related Pages

How to Export an SSL Certificate in Windows Server 2003.