By default LDAP communications are insecure (unencrypted). To enable secure LDAP connections you simply need to install a properly formatted server authentication certificate on the LDAP server. This can be a trusted third party certificate or an internal Active Direcotry certificate issues by your own Certificate Authority (CA). There is no additional configuration required. As soon as a compatible certificate is installed, LDAP will automatically accept secure SSL connection on port 636.

More about enabling LDAP over SSL and certificate requirements – MS KB321051

To test LDAP over SSL functionality I installed CA role on Windows Server 2003 Domain Controller and used it to issue a server certificate to the same machine. I performed everything on a single server in a test environment. Be aware that Microsoft does not recommend installing CA on a Domain Controller and recommends using a dedicated server for CA role.


Install CA on Windows Server 2003

Install IIS:

Start > Control Panel > Add or Remove Programs > Add/Remove Windows Components
Application Server > Details select Internet Information Services (IIS) and complete the Wizard.

Install CA:

Start > Control Panel > Add or Remove Programs > Add/Remove Windows Components
Select Certificate Services > Next
Select Enterprise root CA > Next
Common name for this CA – enter your company name. Leave other fields with default values.
I chose not to enable Active Server Pages (ASPs)

Request a new server certificate for LDAP server

Open Certificates mmc:

Start > Run > mmc
File > Add/Remove Snap-in
Add > Certificates > Computer Account > Local Computer

Request certificate

Certificates > Personal > Certificates
Actions > All Tasks > Request New Certificate
Complete wizard with default values.

Test LDAP over SSL

To test whether LDAP server accepts secure LDAP connection you can use ldp.exe tool. Ldp.exe is part of Windows Server 2003 Support Tools

Run ldp.exe
Connection > Connect
Server: <server name>
Port: 636
Check information on the right panel to confirm that connection was successful.
Title Bar should display SSL://servername

With ldp.exe tool you have to use server host name or FQDN when connecting over SSL. If you try to connect using an IP address connection will fail and you will get en error similar to this:
Error <0x51>: Fail to connect to 192.168.0.10.
This behaviour is by design, more about this in MS KB814662

No comments

Leave your comment

In reply to Some User
Captcha Image