Active Directory : LDAP over SSL/TLS2025/10/17 |
|
Configure LDAP over SSL/TLS to connect to Active Directory over LDAPS. |
| [1] | Obtain a valid SSL/TLS certificate like Let's Encrypt or others, or create a self-signed certificate. If you want to create a self-signed certificate, run like follows. If you use a valid certificate, you can skip follows. |
Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. # create with a validity period of 10 years # specify FQDN of the Active Directory host for [DnsName] PS C:\Users\Administrator> New-SelfSignedCertificate ` -DnsName "fd3s.srv.world" ` -KeyAlgorithm "ECDSA_nistP384" ` -KeyExportPolicy "Exportable" ` -CertStoreLocation "Cert:\LocalMachine\My" ` -NotAfter (Get-Date).AddYears(10) PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My Thumbprint Subject ---------- ------- C14578E62D65C33A69053958BABA0A05F598DD8B CN=fd3s.srv.world |
| [2] | Change the access permission of the private key of the SSL/TLS certificate. Whether you use valid certificate or a self-signed certificate, set the following. |
Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Users\Administrator> Get-ChildItem Cert:\LocalMachine\My PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My Thumbprint Subject ---------- ------- C14578E62D65C33A69053958BABA0A05F598DD8B CN=fd3s.srv.world PS C:\Users\Administrator> $ObjCert = Get-ChildItem Cert:\LocalMachine\My\C14578E62D65C33A69053958BABA0A05F598DD8B PS C:\Users\Administrator> $Cert = [System.Security.Cryptography.X509Certificates.ECDsaCertificateExtensions]::GetECDsaPrivateKey($ObjCert) PS C:\Users\Administrator> $fileName = $Cert.key.UniqueName PS C:\Users\Administrator> $filePath = "$env:ALLUSERSPROFILE\Microsoft\Crypto\Keys\$fileName" # add [Full Control] perm to [NETWORK SERVICE] PS C:\Users\Administrator> icacls $filePath /grant "NT AUTHORITY\NETWORK SERVICE:(F)" processed file: C:\ProgramData\Microsoft\Crypto\Keys\a9f8f43b128f5e956f346cd5c9ea6c29_41bafaca-92a7-4cab-a195-66c812ee3926 Successfully processed 1 files; Failed processing 0 files PS C:\Users\Administrator> icacls $filePath C:\ProgramData\Microsoft\Crypto\Keys\a9f8f43b128f5e956f346cd5c9ea6c29_41bafaca-92a7-4cab-a195-66c812ee3926 NT AUTHORITY\NETWORK SERVICE:(F) BUILTIN\Administrators:(F) NT AUTHORITY\SYSTEM:(F) Successfully processed 1 files; Failed processing 0 files |
| [3] | If you created a self-signed certificate, add it to the trusted store. If you use valid certificate, you can skip the following. |
Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Users\Administrator> $ObjCert = Get-ChildItem Cert:\LocalMachine\My\C14578E62D65C33A69053958BABA0A05F598DD8B PS C:\Users\Administrator> Export-Certificate -Cert $ObjCert -FilePath "C:\Users\Administrator\fd3s.srv.world.cer" Directory: C:\Users\Administrator Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 10/17/2025 6:25 AM 476 fd3s.srv.world.cer PS C:\Users\Administrator> Import-Certificate -FilePath "C:\Users\Administrator\fd3s.srv.world.cer" -CertStoreLocation "Cert:\LocalMachine\Root" PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root Thumbprint Subject ---------- ------- C14578E62D65C33A69053958BABA0A05F598DD8B CN=fd3s.srv.world # restart Computer to apply changes PS C:\Users\Administrator> Restart-Computer -Force |
| [4] | After rebooting, launch [ldp.exe] from PowerShell or similar, then open [connection] - [connect] to see the following screen. Enter the AD host's FQDN in the [Server] field, specify 636 in [Port], check [SSL], and click [OK]. |
|
| [5] | If you see [Established connection ***] as shown below, the connection is OK. |
|
| [6] | To test the connection from a Linux client, set it as follows. As an example, we will connect from an Ubuntu 24.04 client. |
|
root@client:~#
apt -y install ldap-utils
root@client:~#
vi /etc/ldap/ldap.conf # if using a self-signed certificate on AD host, add the line TLS_REQCERT allow # Connect to AD # get user information as an example # -D "(any AD user)" -w "(AD user password)" root@client:~# ldapsearch -x -H ldaps://fd3s.srv.world:636 -b "dc=srv,dc=world" -D "serverworld@srv.world" -w "P@ssw0rd01" -s sub "(&(objectcategory=user)(sAMAccountName=*))" # # LDAPv3 # base <dc=srv,dc=world> with scope subtree # filter: (&(objectcategory=user)(sAMAccountName=*)) # requesting: ALL # # Administrator, Users, srv.world dn: CN=Administrator,CN=Users,DC=srv,DC=world objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Administrator description: Built-in account for administering the computer/domain distinguishedName: CN=Administrator,CN=Users,DC=srv,DC=world instanceType: 4 whenCreated: 20251017111330.0Z whenChanged: 20251017132240.0Z uSNCreated: 8196 memberOf: CN=Group Policy Creator Owners,CN=Users,DC=srv,DC=world memberOf: CN=Domain Admins,CN=Users,DC=srv,DC=world memberOf: CN=Enterprise Admins,CN=Users,DC=srv,DC=world memberOf: CN=Schema Admins,CN=Users,DC=srv,DC=world memberOf: CN=Administrators,CN=Builtin,DC=srv,DC=world uSNChanged: 16432 name: Administrator objectGUID:: aqq75GPewEWmnCteP/Dbpw== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 134051830102149507 logonHours:: //////////////////////////// pwdLastSet: 134051726233637236 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAH8UbFThaqcEcMsxj9AEAAA== adminCount: 1 accountExpires: 0 logonCount: 11 sAMAccountName: Administrator sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=srv,DC=world isCriticalSystemObject: TRUE dSCorePropagationData: 20251017132240.0Z dSCorePropagationData: 20251017132240.0Z dSCorePropagationData: 20251017111451.0Z ..... ..... |
Matched Content