Problem installing certificates for using ldaps

bigbrother74 · ‎07-24-2007

Hi

I've installed ACS 4.1 on Windows 2003 Server. I made a generic ldap connection to m$ active directory. I'm able to configure "Group Mappings for LDAP Users". So far so good.

But if I set the generic ldap connection to ldaps nothing works ???

I installed in ACS the "GTE CyberTrust Global Root" certificate and the intermediate certificate "Cybertrust Educational CA". I marked both in "System Configuration". Under "generic ldap" I set param "Trusted Root CA" to "Cybertrust Educational CA" I checked "Use Secure Authentication" and set the port to 636.

I restart acs but nothing works. I set it back to normal ldap connection (389) an everything works well.

Then I test to connect via ldp-tool from windows to connect to active directory through port 636 (ldaps) and everything works well.

After all this must be certificate installation issue under acs.

Does somebody know how to install this things correctly???

I red many manuals from cisco but nothing helps me...

Thanx for help

bb

rochopra · ‎07-25-2007

Followinf link can help you configure LDAP database:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/usrdb.htm#wp491718

BTW what is the error message you are getting.

Regards

Rohit

bigbrother74 · ‎07-25-2007

@ rochopra

I don't have problem with the ldap database I have problem to configure it for ldap over ssl.

The ldap connection does work perfect. But noch with encryption over ssl.

So my problem is a certificate installation issue not an ldap problem...

Thanx for help

bb

bigbrother74 · ‎07-26-2007

@ ALL

Do I need to install a "ACS Certificate" also?

Grees

bb

mattiaseriksson · ‎07-26-2007

No.

You should only need to use the "Trusted Root CA" option.

ACS supports only server-side authentication for SSL.

bigbrother74 · ‎07-26-2007

@ mattiaseriksson

Okay thank you.

But it still does not work for me. If I use normal ldap connection through port 389 than everything works well.

I installed the root and intermediate certificate and I trusted this both certs but it still does not work.

I was sniffing during the authentication and I see that the certification path is correct.

I also tested the ldaps connection with the ldp client from windows and it works to connect through port 636 ldaps but not within acs???

Why is that???

Any suggestion?

bb

mattiaseriksson · ‎07-26-2007

Any error messages on either side?

bigbrother74 · ‎07-26-2007

@ mattiaseriksson

Here is a output from auth.log watch the attachment please.

Thanx

bb

mattiaseriksson · ‎07-26-2007

To me it looks like a TCP error. Is the connection allowed in the firewall? Have you tried the ldaps connection with the ldp client from windows on the same machine? Or just try with a good old telnet to port 636.

bigbrother74 · ‎07-26-2007

@ mattiaseriksson

Have you tried the ldaps connection with the ldp client from windows on the same machine?

Yes I've tried to connect via ldp windows tool from the same machine to connect to the ad server via prot 636 and it work perfect.

So I don't think that it is a firewall issue...

Here is an WireShark extraction for the connection. Watch the attachment...

msbenjamin · ‎07-26-2007

Install the root certificate that you are trying to use in the "ACS Certification Authority Setup" under "System Configuration -> ACS Certificate Setup". Then choose it under your Generic LDAP configuration. Then it should work.

bigbrother74 · ‎07-26-2007

@ msbenjamin

I did all these things but it does not work ???

I installed the eval version from acs 4.1. They said it is fully functional like the full version. Do you think that could be the mistake?

Thanx for help

bb

msbenjamin · ‎07-27-2007

Possibly, I've never used it.

bigbrother74 · ‎07-26-2007

@msbenjamin

I do have a root certificate and an intermediate certificate. I installed the intermediate certificate like the root certificate and I also trusted this certificate like the root cert but it it does not work.

Has is something to do with the intermediate cert???

Is there a bug?

Thanx for help

bb

msbenjamin · ‎07-27-2007

You need the root certificate installed on the ACS. That is the certificate that it will use to secure the connection to LDAP with.