Re: Binding to AD using LDAP over SSL
From: Jason (jasons_at_hotmail.com)
Date: 01/27/05
- Next message: Joe Richards [MVP]: "Re: Active Directory in a huge single forest"
- Previous message: Joe Richards [MVP]: "Re: replication monitoring rights"
- In reply to: David Shriner: "Binding to AD using LDAP over SSL"
- Next in thread: Ryan Hanisco: "Re: Binding to AD using LDAP over SSL"
- Reply: Ryan Hanisco: "Re: Binding to AD using LDAP over SSL"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 26 Jan 2005 21:31:55 -0500
My experience :
1) to enable SLDAP on a DC ,, you need to install a Computer certificate ,
not a user certificate.
2) once the certificate is installed, using LDP.exe , you can bind to port
636, which is fine. And that mean at least the DC is listening on "port 636"
3) You can further validate that port 636 or secure LDAP has been enabled by
using outlook express and connect via port 636 to query you AD objects.
There's a MS article on how to do this - can't remember exactly the article
no.
4) Softerra LDAP browser requires you to install a certificate using
netscape and without that , you will not be to browse ( query ) using the
SSL over port 636. ( see the Help from the softterra browser )
5) From Unix , if you bind an SLDAP , it should work- but make sure your
unix machine trust the Root of your certificate issuing CA.
Hope this would help.
Jason
"David Shriner" <David Shriner@discussions.microsoft.com> wrote in message
news:B7FFCD96-98FA-4A8B-80B4-52E67270A56E@microsoft.com...
> Hi, I'm hoping some of you experts can help me figure out what I'm missing
> here...
>
> I've read through the following KB articles and followed the suggested
> methods for enabling LDAP over SSL: KB247078 and KB321051. I've got an
> Enterprise CA installed on a Windows 2000 member server in my domain and
> it
> appears the domain controllers have valid certificates from this CA
> (verified
> in the Certificates snap-in). When I use LDP.exe to bind to port 636 on
> the
> servers I am able to establish a connection and see the naming contexts
> for
> the domain. So it appears that LDAP over SSL *is* enabled.
>
> However when I try to connect to the domain controllers with a third party
> tool (like Softerra LDAP Browser) using port 636 I keep getting "Error 81:
> Can't contact LDAP server". I can connect to the standard LDAP port (389)
> without any problems but 636 won't allow a connection. I've tried binding
> with my user DN and as anonymous with no effect. I've also tried a
> standard
> ldapbind command on a UNIX host using the same credentials without any
> luck.
> I've requested and installed a user certificate on my client computer from
> the Enterprise CA but this didn't help either. Running netstat on the DCs
> shows that it is listening for requests using LDAPS.
>
> Is there anything else I can try? Have I missed something somewhere?
> Thanks for any help.
- Next message: Joe Richards [MVP]: "Re: Active Directory in a huge single forest"
- Previous message: Joe Richards [MVP]: "Re: replication monitoring rights"
- In reply to: David Shriner: "Binding to AD using LDAP over SSL"
- Next in thread: Ryan Hanisco: "Re: Binding to AD using LDAP over SSL"
- Reply: Ryan Hanisco: "Re: Binding to AD using LDAP over SSL"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
