07-24-2007 10:25 PM - edited 03-09-2019 06:27 PM
Hi
I've installed ACS 4.1 on Windows 2003 Server. I made a generic ldap connection to m$ active directory. I'm able to configure "Group Mappings for LDAP Users". So far so good.
But if I set the generic ldap connection to ldaps nothing works ???
I installed in ACS the "GTE CyberTrust Global Root" certificate and the intermediate certificate "Cybertrust Educational CA". I marked both in "System Configuration". Under "generic ldap" I set param "Trusted Root CA" to "Cybertrust Educational CA" I checked "Use Secure Authentication" and set the port to 636.
I restart acs but nothing works. I set it back to normal ldap connection (389) an everything works well.
Then I test to connect via ldp-tool from windows to connect to active directory through port 636 (ldaps) and everything works well.
After all this must be certificate installation issue under acs.
Does somebody know how to install this things correctly???
I red many manuals from cisco but nothing helps me...
Thanx for help
bb
07-25-2007 03:34 AM
Followinf link can help you configure LDAP database:
BTW what is the error message you are getting.
Regards
Rohit
07-25-2007 03:42 AM
@ rochopra
I don't have problem with the ldap database I have problem to configure it for ldap over ssl.
The ldap connection does work perfect. But noch with encryption over ssl.
So my problem is a certificate installation issue not an ldap problem...
Thanx for help
bb
07-26-2007 02:26 AM
@ ALL
Do I need to install a "ACS Certificate" also?
Grees
bb
07-26-2007 03:03 AM
No.
You should only need to use the "Trusted Root CA" option.
ACS supports only server-side authentication for SSL.
07-26-2007 03:48 AM
@ mattiaseriksson
Okay thank you.
But it still does not work for me. If I use normal ldap connection through port 389 than everything works well.
I installed the root and intermediate certificate and I trusted this both certs but it still does not work.
I was sniffing during the authentication and I see that the certification path is correct.
I also tested the ldaps connection with the ldp client from windows and it works to connect through port 636 ldaps but not within acs???
Why is that???
Any suggestion?
bb
07-26-2007 04:07 AM
Any error messages on either side?
07-26-2007 05:29 AM
07-26-2007 05:35 AM
To me it looks like a TCP error. Is the connection allowed in the firewall? Have you tried the ldaps connection with the ldp client from windows on the same machine? Or just try with a good old telnet to port 636.
07-26-2007 05:47 AM
@ mattiaseriksson
Have you tried the ldaps connection with the ldp client from windows on the same machine?
Yes I've tried to connect via ldp windows tool from the same machine to connect to the ad server via prot 636 and it work perfect.
So I don't think that it is a firewall issue...
Here is an WireShark extraction for the connection. Watch the attachment...
07-26-2007 08:05 AM
Install the root certificate that you are trying to use in the "ACS Certification Authority Setup" under "System Configuration -> ACS Certificate Setup". Then choose it under your Generic LDAP configuration. Then it should work.
07-26-2007 10:33 PM
@ msbenjamin
I did all these things but it does not work ???
I installed the eval version from acs 4.1. They said it is fully functional like the full version. Do you think that could be the mistake?
Thanx for help
bb
07-27-2007 05:33 AM
Possibly, I've never used it.
07-26-2007 11:25 PM
@msbenjamin
I do have a root certificate and an intermediate certificate. I installed the intermediate certificate like the root certificate and I also trusted this certificate like the root cert but it it does not work.
Has is something to do with the intermediate cert???
Is there a bug?
Thanx for help
bb
07-27-2007 05:34 AM
You need the root certificate installed on the ACS. That is the certificate that it will use to secure the connection to LDAP with.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: