Problem installing certificates for using ldaps

Unanswered Question
Jul 24th, 2007

Hi

I've installed ACS 4.1 on Windows 2003 Server. I made a generic ldap connection to m$ active directory. I'm able to configure "Group Mappings for LDAP Users". So far so good.

But if I set the generic ldap connection to ldaps nothing works ???

I installed in ACS the "GTE CyberTrust Global Root" certificate and the intermediate certificate "Cybertrust Educational CA". I marked both in "System Configuration". Under "generic ldap" I set param "Trusted Root CA" to "Cybertrust Educational CA" I checked "Use Secure Authentication" and set the port to 636.

I restart acs but nothing works. I set it back to normal ldap connection (389) an everything works well.

Then I test to connect via ldp-tool from windows to connect to active directory through port 636 (ldaps) and everything works well.

After all this must be certificate installation issue under acs.

Does somebody know how to install this things correctly???

I red many manuals from cisco but nothing helps me...

Thanx for help

bb

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bigbrother74 Wed, 07/25/2007 - 03:42

@ rochopra

I don't have problem with the ldap database I have problem to configure it for ldap over ssl.

The ldap connection does work perfect. But noch with encryption over ssl.

So my problem is a certificate installation issue not an ldap problem...

Thanx for help

bb

mattiaseriksson Thu, 07/26/2007 - 03:03

No.

You should only need to use the "Trusted Root CA" option.

ACS supports only server-side authentication for SSL.

bigbrother74 Thu, 07/26/2007 - 03:48

@ mattiaseriksson

Okay thank you.

But it still does not work for me. If I use normal ldap connection through port 389 than everything works well.

I installed the root and intermediate certificate and I trusted this both certs but it still does not work.

I was sniffing during the authentication and I see that the certification path is correct.

I also tested the ldaps connection with the ldp client from windows and it works to connect through port 636 ldaps but not within acs???

Why is that???

Any suggestion?

bb

mattiaseriksson Thu, 07/26/2007 - 05:35

To me it looks like a TCP error. Is the connection allowed in the firewall? Have you tried the ldaps connection with the ldp client from windows on the same machine? Or just try with a good old telnet to port 636.

bigbrother74 Thu, 07/26/2007 - 05:47

@ mattiaseriksson

Have you tried the ldaps connection with the ldp client from windows on the same machine?

Yes I've tried to connect via ldp windows tool from the same machine to connect to the ad server via prot 636 and it work perfect.

So I don't think that it is a firewall issue...

Here is an WireShark extraction for the connection. Watch the attachment...

msbenjamin Thu, 07/26/2007 - 08:05

Install the root certificate that you are trying to use in the "ACS Certification Authority Setup" under "System Configuration -> ACS Certificate Setup". Then choose it under your Generic LDAP configuration. Then it should work.

bigbrother74 Thu, 07/26/2007 - 22:33

@ msbenjamin

I did all these things but it does not work ???

I installed the eval version from acs 4.1. They said it is fully functional like the full version. Do you think that could be the mistake?

Thanx for help

bb

bigbrother74 Thu, 07/26/2007 - 23:25

@msbenjamin

I do have a root certificate and an intermediate certificate. I installed the intermediate certificate like the root certificate and I also trusted this certificate like the root cert but it it does not work.

Has is something to do with the intermediate cert???

Is there a bug?

Thanx for help

bb

msbenjamin Fri, 07/27/2007 - 05:34

You need the root certificate installed on the ACS. That is the certificate that it will use to secure the connection to LDAP with.

rochopra Fri, 07/27/2007 - 19:27

can you perform a test

install self signed certificate of ACS and check if you are able to connect to LDAP.

This will clear the questions of intermediate cert for you.

Regards

Rohit

Actions

This Discussion