I don't know if someone is familiar with Tivoli Directory Server (ldap) but I guess there is something more or less the same in every ldap software.
So, there is a setting for ssl authentication which can be serverClientAuth and serverAuth. With serverAuth it is sufficient for the server to provide the certificate and the client (jxplorer) just accepts it to connect. With serverClientAuth except from the certificate provided by the server also the client needs to have its certificate on the server.
In my setup I have the serverClientAuth setting. So I was wondering if it is possible for jxplorer to provide the client certificate to the ldap server.
Any thoughts are welcome. Thanks.
Yes it is possible, and there is a menu provided specifically for that purpose, which lets you define they KeyStore, truststore, and various other SSL things.
Related
I'm looking at hardening LDAP on my domain controller (DC). To do this I need to import a security certificate to the DC.
I don't want to self sign as I've been told it is not best practice and the service I wish to integrate with LDAPS (Mimecast) does not recommend self signing.
I've created my certificate request, based upon the domain's fqdn. e.g. mydomain.local
What I'm not sure about now is where I can get a certificate based on that request.
I'm familiar with SSL for HTTPS. That process makes sense to me, the certification authority checks that I own the domain and provides a certificate that I can then install on my web server.
Will 3rd party SSL providers let me configure a certificate with the common name "mydomain.local"?
Or am I looking in completely the wrong area?
Many thanks in advance for any help that provided.
The type of certificate is exactly the same type of certificate as you would get for securing a website, yes. However, the domain name must be a valid internet domain (not .local)
There is a good walk-through here for Using Let's Encrtypt for Active Directory Domain Controller Certificates, including all the caveats you need to be aware of.
I want to purchase commercial SSL certificates for freeRadius server (over linux) to use for PEAP 802.1X Authentication for Windows Clients.
Does anyone know if there is anything in particular that I have to look in the certificate to use it with radius? As far as I have read, a standard SSL certificate should work.
Thanks!
No a standard SSL certificate won't generally work. It needs to have some very specific OIDs for use with Windows clients. See /etc/raddb/certs/xpextensions for the specific OIDs you need.
Many CAs will include these automatically if you specify you're using the certs for 802.1X.
I am trying to resolve a problem whereby trying to set a users password over LDAP is failing because of an access denied error - even though I am authenticating against the AD with an admin user.
An answer found in stackoverflow says that either I have to run the IIS user as the admin user (which does work) or i should connect to LDAP via SSL.
I cant go with the first option because I am using Elastic Beanstalk which will create and terminate instances so i cant change/set the user that IIS will be running as. So I am trying to use the LDAP over SSL idea.
My question is does that still require that the client itself also have a certificate installed in order to establish trust with the Domain controller? Or does this work just by installing a cert on the Domain controller and allowing the connection over SSL?
If it requires a certificate on the client then I have the same problem as i cant install anything on the client server other than the deployed app since Beanstalk is going to recereate and terminate that instance at will.
So does LDAPS require a cert on the client?
Is there a better way to solve my problem given the infrastructure i am using?
So does LDAPS require a cert on the client?
no, LDAPS do not require client certificate. Domain controller certificate is sufficient to utilize LDAPS. More details about LDAPS and certificate requirement: LDAP over SSL (LDAPS) Certificate
trying to set a users password over LDAP is failing because of an access denied error
there might be over9000 reasons why you receive this message. You need to check whether you are successfully authenticated on DC, if yes, check whether you have permissions and privileges (especially, if UAC is enabled). I would set up audit policies (on failed user password changes) and check Security eventlog to figure out what is going wrong.
No.
For openldap, I achieved this by adding this line to ldap.conf. But be aware of that, when you do that, your connections will be open to attacks like man-in-the-middle or any other.
TLS_REQCERT never
This is what I found using trial and error approach:
Actually, LDAPS server always asks for client certificate. You can verify that by turning on SCHANNEL log and observing the following message:
If there is no client authentication certificate than LDAPS connection still succeeds, i.e. no client authentication certificate is required indeed. But if you have some invalid client authentication certificate (in my case it was an expired cert installed long ago by a third party app) the connection will fail w/o any error or warning in SCHANNEL log on the client side. It took me a while to figure this out.
Yes of corse your client need a certificate to allow ladps communication betwen
him and de server.
According to
windowsitpro.com:
As an option, you can use LDAPS for client authentication -- but doing so requires that you also install a client authentication certificate on each of your clients."
I got a few e-mails yesterday warning me that some of my WHM self-assigned SSL certificates are going to expire. I did not setup the WHM originally, but according to their documentation self-assigned certificates are usually created during the WHM installation.
Services that need a new certificate:
cPanel/WHM/Webmail Service
Exim (SMTP) Server
Dovecot Mail Server
FTP Server
All on the same domain (which is our main domain that we use to access whm).
All current services have self-assigned certificates. I don't know the point of having a self-assigned certificates if they create browser errors anyway.
So I guess I have 2 questions:
Are there any issues that could arise from resetting the current certificates?
Do I have to have a certificate at all? Our main domain (that has all these certificates) doesn't use SSL.
I'm afraid I don't have experience of WHM, but I do have experience with ssl certificates, so hopefully this will be helpful anyway.
If there are any existing clients who have been using the services over SSL, they will have already been accepting the existing self-signed certificates, so they should be able to accept the new ones. Whether this will happen automatically probably depends on the client.
You say your main domain doesn't use ssl. However, are you just talking about a website? Are there, for example, email clients which are talking to your Exim server using secure SMTP or to dovecot using secure IMAP for example? If so, then they'd need the server to provide an ssl certificate (and they may need to accept the new self-signed certificate).
Self-signed certificates will cause browser security exceptions that need to be accepted by users and they don't provide a guarantee of identity in the same way that 'proper' certificates do, but at least they enable encryption to be used for communication.
Can anyone explain to me when a certifate is require using WCF and authentication. From my understanding although i could be way off :-)
basichttp doesn't require a certificate to do authentication is hosted in IIS and using SSL otherwise a certificate is required
All other bindings like netTcpBindings etc require the use of certficate - is this true?
Or does it depend on what type of authentication i am using?
I would really appreciate any info or maybe a table telling me when a certifcate is needed.
I have a number of scenerios i am investigating like hosting in IIS or hosting in WIndows Service..
And i just can't seem to find the info i need
THanks in advance
There are two scenarios where you need a certificate:
A server side certificated that is used for SSL. For basichttpbinding, if you are sending a username and password over the network you should use SSL.
A client side certificate if you are authenticating clients using certificates.
Other bindings may use machine keys and certificates in the operating system, but you do not need to install a certificate for them to work.