Troubleshooting LDAP Over SSL

re: Troubleshooting LDAP Over SSL

ancienthacker — Thu, 13 Mar 2008 22:11:23 GMT

Thanks for the (incredibly) timely article. Is the Subject Alternate Name what one would use when you wants LDAPS requests to both system.addomain.local and addomain.local to work properly? I.E. both the individual DC and the AD domin DNS name respond?

re: Troubleshooting LDAP Over SSL

NedPyle — Fri, 14 Mar 2008 15:57:40 GMT

Thanks for the response and I'm glad you found this blog to be helpful.

To answer your question, yes the SAN can be used for this purpose. Please take a look at the following article for instructions on configuring the SAN:

931351 How to add a Subject Alternative Name to a secure LDAP certificate

http://support.microsoft.com/default.aspx?scid=kb;EN-US;931351

LDAP over SSL/TLS: How secure is your Directory?

JefTek.com — Sun, 30 Mar 2008 09:20:00 GMT

One of the issues with using LDAP as an "Authentication" protocol for applications is that this usually means LDAP simple binds. LDAP simple binds by default will pass the userId and userPassword in clear text between the client and the server.

re: Troubleshooting LDAP Over SSL

KHauer — Thu, 14 Aug 2008 20:13:49 GMT

This article is quite helpful from a perspective of "understanding"... Where do you look when you can't publish a CRL though? The exact error is:

CertUtil: -CRL command FAILED: 0x80072098 (WIN32: 8344)

CertUtil: Insufficient access rights to perform the operation.

re: Troubleshooting LDAP Over SSL

NedPyle — Thu, 14 Aug 2008 21:04:28 GMT

Could be a couple of things:

1. You aren't an Enterprise Administrator

2. You are, but you don;t have rights because someone has been mucking about.

You should have an event 74 in the event log on your CA, and it will have an LDAP path to the spot where you need to check permissions in AD with ADSIEDIT.MSC