Problem installing certificates for using ldaps

Unanswered Question
Jul 24th, 2007
User Badges:

Hi


I've installed ACS 4.1 on Windows 2003 Server. I made a generic ldap connection to m$ active directory. I'm able to configure "Group Mappings for LDAP Users". So far so good.


But if I set the generic ldap connection to ldaps nothing works ???


I installed in ACS the "GTE CyberTrust Global Root" certificate and the intermediate certificate "Cybertrust Educational CA". I marked both in "System Configuration". Under "generic ldap" I set param "Trusted Root CA" to "Cybertrust Educational CA" I checked "Use Secure Authentication" and set the port to 636.


I restart acs but nothing works. I set it back to normal ldap connection (389) an everything works well.


Then I test to connect via ldp-tool from windows to connect to active directory through port 636 (ldaps) and everything works well.


After all this must be certificate installation issue under acs.


Does somebody know how to install this things correctly???


I red many manuals from cisco but nothing helps me...


Thanx for help


bb


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bigbrother74 Wed, 07/25/2007 - 03:42
User Badges:

@ rochopra


I don't have problem with the ldap database I have problem to configure it for ldap over ssl.


The ldap connection does work perfect. But noch with encryption over ssl.


So my problem is a certificate installation issue not an ldap problem...


Thanx for help


bb

bigbrother74 Thu, 07/26/2007 - 02:26
User Badges:

@ ALL


Do I need to install a "ACS Certificate" also?


Grees


bb

mattiaseriksson Thu, 07/26/2007 - 03:03
User Badges:
  • Bronze, 100 points or more

No.


You should only need to use the "Trusted Root CA" option.


ACS supports only server-side authentication for SSL.

bigbrother74 Thu, 07/26/2007 - 03:48
User Badges:

@ mattiaseriksson


Okay thank you.


But it still does not work for me. If I use normal ldap connection through port 389 than everything works well.


I installed the root and intermediate certificate and I trusted this both certs but it still does not work.


I was sniffing during the authentication and I see that the certification path is correct.


I also tested the ldaps connection with the ldp client from windows and it works to connect through port 636 ldaps but not within acs???


Why is that???


Any suggestion?


bb

mattiaseriksson Thu, 07/26/2007 - 05:35
User Badges:
  • Bronze, 100 points or more

To me it looks like a TCP error. Is the connection allowed in the firewall? Have you tried the ldaps connection with the ldp client from windows on the same machine? Or just try with a good old telnet to port 636.

bigbrother74 Thu, 07/26/2007 - 05:47
User Badges:

@ mattiaseriksson



Have you tried the ldaps connection with the ldp client from windows on the same machine?



Yes I've tried to connect via ldp windows tool from the same machine to connect to the ad server via prot 636 and it work perfect.


So I don't think that it is a firewall issue...


Here is an WireShark extraction for the connection. Watch the attachment...



msbenjamin Thu, 07/26/2007 - 08:05
User Badges:

Install the root certificate that you are trying to use in the "ACS Certification Authority Setup" under "System Configuration -> ACS Certificate Setup". Then choose it under your Generic LDAP configuration. Then it should work.

bigbrother74 Thu, 07/26/2007 - 22:33
User Badges:

@ msbenjamin


I did all these things but it does not work ???


I installed the eval version from acs 4.1. They said it is fully functional like the full version. Do you think that could be the mistake?


Thanx for help


bb

bigbrother74 Thu, 07/26/2007 - 23:25
User Badges:

@msbenjamin


I do have a root certificate and an intermediate certificate. I installed the intermediate certificate like the root certificate and I also trusted this certificate like the root cert but it it does not work.


Has is something to do with the intermediate cert???


Is there a bug?


Thanx for help


bb

msbenjamin Fri, 07/27/2007 - 05:34
User Badges:

You need the root certificate installed on the ACS. That is the certificate that it will use to secure the connection to LDAP with.

rochopra Fri, 07/27/2007 - 19:27
User Badges:
  • Cisco Employee,

can you perform a test


install self signed certificate of ACS and check if you are able to connect to LDAP.


This will clear the questions of intermediate cert for you.


Regards

Rohit

Actions

This Discussion