LDAP TLS Configuration

From idenprotect Knowledge Base
Jump to: navigation, search


When you configure the idenprotect Core Platform to connect to LDAP, the standard connection without TLS uses ldap:// and port 389. You can also make a connection which establishes TLS upon connecting and this uses ldaps:// and port 636. By default, Microsoft AD Servers offer unencrypted connections so TLS needs to be activated. This is a guide to assist you in the activation process.

If TLS has already been activated and you are looking to configure the LDAP connection on idenprotect Core Platform, see LDAP Connection Configuration

Active Directory Server Steps

Enabling LDAPS

The following guide is an external resource, not owned or maintained by idenprotect. It is an example of how you can create a self-signed certificate for Microsoft Active Directory servers which will enable an encrypted connection. The self-signed portion can be swapped out with vendor-purchased certificates if you wish. We recommend following this guide up to and including Accepting and Importing certificates. Using this guide with self-signed certificates will require you to have a tool like OpenSSL available on your Active Directory server.

Enabling LDAP over SSL

After following these steps, the Active Directory server will require a reboot. Ensure that the server is not being used at the time as any active users will immediately be disconnected.

Testing the secure connection

You can use a tool like Softerra LDAP Administrator to test LDAP connections. Note that the free version of this software comes with a limited 30-day trial license.

Enabling LDAPS does not disable unencrypted connections, that would need to be separately firewalled. If this is the first time you have used this software, we recommend attempting to connect unencrypted to LDAP first to familiarise yourself and ensure that you are able to establish a connection.

You should be able to connect by entering your host and port in the profile and by using a username and password in the credentials. A successful connection will open up the server to display your Configuration, schema and Domain Controller details.

To test the secure connection, repeat the process, replacing port 389 with port 636. You may also need to update the principal and password depending on your configuration.

idenprotect Core Platform steps

Updating the certificate Trust Store

A trust store is required to hold the certificates the idenprotect Core Platform will use in order to access LDAP over TLS. The store used when establishing network connections is a System Property and its value is dependent on other parameters.

To configure the trust store settings, see Certificate Authority Server Configuration. If you are using the EJBCA connector you will need to configure the Trust Store, if you are using the SOAP connector or internal CA then you will need to configure the CA Key Store

If you don't already have this configured. You may need to create a new Keystore which will require a tool like Keystore Explorer.

Whether you are creating a new trust store or adding to an existing one, you will need to add both the client and root certificates you either created during the preceding steps or received from a vendor. You will be asked to provide an alias for each of the certificates you import. Editing the alias is optional but it is important to note that all certificates require a unique alias.

Trusting Self-Signed certificates

IMPORTANT NOTE: We do not recommend enabling the following unless you have set everything up in an isolated and completely trusted network. This can nullify the whole purpose of using LDAPS over TLS unless you have taken other preventative measures.

Self-signed certificates are not considered as fully trustable. When accessing a website with an untrusted certificate you will normally get the option to click your way through and allow access, however, Java does not have this option. If you are using self-signed certificates, the idenprotect Core Platform will not be able to connect to LDAPS over TLS without an additional property being enabled.

The recommended solution for this is to have a vendor-purchased certificate as this will be trusted and correctly signed.

If you wish to enable the trusting of any certificate, you will need to amend the LDAPS Trust All Certificates property. Please see LDAP Connection Configuration

Testing the connection to LDAPS via the application

To check if the process has been successful and idenprotect Core Platform can contact LDAPS over TLS you can use the Health Check Metrics