LDAPS

Tutorials Win: Microsoft Windows Forum

Hi,
I'm trying to enable LDAP over SSL (LDAPS) to secure communication between a
web server and a DC. Both server are in the same subnet, but the webserver is
not member of the domain. The DC is the only computer in the Domain. The
purpose of this DC is only to authenticates user accessing web site on the
web server

The DC have Certificate Service installed as enterprise root. Using ldp.exe,
I can connect both on port 389 and 636 from the DC itself.

From the Web server, using ldp.exe I can connect on port 389, but not on
636. Error is :
ld = ldap_open("ldapsvr01", 636);
Error <0x51>: Fail to connect to ldapsvr01.

I compared the config with my corporate domain, where LDAPS works perfectly.
I notice that, from the Trust Root Certification Authorities on the web
server, the Certificate Template type is CA. From my pc on the corporate
domain (who can connect on port 636 using ldp.exe), the type is Root
Certification Authority.

Can someone give me the nail I need to finish building this house?
Thanks.
Top

Re: LDAPS by Sean

Sean
Wed Jun 18 18:04:57 PDT 2008

On Jun 18, 3:20=A0pm, Yannick <Yann...@discussions.microsoft.com> wrote:
> Hi,
> I'm trying to enable LDAP over SSL (LDAPS) to secure communication betwee=
n a
> web server and a DC. Both server are in the same subnet, but the webserve=
r is
> not member of the domain. The DC is the only computer in the Domain. The
> purpose of this DC is only to authenticates user accessing web site on th=
e
> web server
>
> The DC have Certificate Service installed as enterprise root. Using ldp.e=
xe,
> I can connect both on port 389 and 636 from the DC itself.
>
> From the Web server, using ldp.exe I can connect on port 389, but not on
> 636. Error is :
> ld =3D ldap_open("ldapsvr01", 636);
> Error <0x51>: Fail to connect to ldapsvr01.
>
> I compared the config with my corporate domain, where LDAPS works perfect=
ly.
> I notice that, from the Trust Root Certification Authorities on the web
> server, the Certificate Template type is CA. From my pc on the corporate
> domain (who can connect on port 636 using ldp.exe), the type is Root
> Certification Authority.
>
> Can someone give me the nail I need to finish building this house?
> Thanks.

Check out this link for all the LDAPS troubleshooting steps you need
http://support.microsoft.com/kb/938703.
Top

Re: LDAPS by Yannick

Yannick
Thu Jun 19 09:00:01 PDT 2008

Hi,

Thanks for the answer. I already did troubleshooting steps provided by this
link. When I ran certutil -v -urlfetch -verify s.cer I got followings errors :

=====================================================
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The specified network resource or device is no
longer available. 0x80070037 (WIN32: 55)

ldap:///CN=ldapsvr01,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sgucbrokers,DC=ad?cACertificate?base?objectClass=certificationAuthority

Verified "Certificate (0)" Time: 0
[1.0]
http://ldapsvr01.sgucbrokers.ad/CertEnroll/ldapsvr01.sgucbrokers.ad_ldapsvr01.crt

---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: The specified network resource or device is no
longer available. 0x80070037 (WIN32: 55)

ldap:///CN=ldapsvr01,CN=ldapsvr01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sgucbrokers,DC=ad?certificateRevocationList?base?objectClass=cRLDistributionPoint

Verified "Base CRL (1)" Time: 0
[1.0] http://ldapsvr01.sgucbrokers.ad/CertEnroll/ldapsvr01.crl

Failed "CDP" Time: 0
Error retrieving URL: The specified network resource or device is no
longer available. 0x80070037 (WIN32: 55)
[1.0.0]
ldap:///CN=ldapsvr01,CN=ldapsvr01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sgucbrokers,DC=ad?deltaRevocationList?base?objectClass=cRLDistributionPoint

Verified "Delta CRL (1)" Time: 0
[1.0.1] http://ldapsvr01.sgucbrokers.ad/CertEnroll/ldapsvr01+.crl

---------------- Base CRL CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: The specified network resource or device is no
longer available. 0x80070037 (WIN32: 55)

ldap:///CN=ldapsvr01,CN=ldapsvr01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sgucbrokers,DC=ad?deltaRevocationList?base?objectClass=cRLDistributionPoint

OK "Delta CRL (1)" Time: 0
[1.0] http://ldapsvr01.sgucbrokers.ad/CertEnroll/ldapsvr01+.crl
=====================================================

From this point, I didn't have any idea of how to fix it to get LDAPS
functionnal!

It is probably a very tiny things I missed, but which one? somebody have idea?

Regards,

__________________________________
"Sean" wrote:

> On Jun 18, 3:20 pm, Yannick <Yann...@discussions.microsoft.com> wrote:
> > Hi,
> > I'm trying to enable LDAP over SSL (LDAPS) to secure communication between a
> > web server and a DC. Both server are in the same subnet, but the webserver is
> > not member of the domain. The DC is the only computer in the Domain. The
> > purpose of this DC is only to authenticates user accessing web site on the
> > web server
> >
> > The DC have Certificate Service installed as enterprise root. Using ldp.exe,
> > I can connect both on port 389 and 636 from the DC itself.
> >
> > From the Web server, using ldp.exe I can connect on port 389, but not on
> > 636. Error is :
> > ld = ldap_open("ldapsvr01", 636);
> > Error <0x51>: Fail to connect to ldapsvr01.
> >
> > I compared the config with my corporate domain, where LDAPS works perfectly.
> > I notice that, from the Trust Root Certification Authorities on the web
> > server, the Certificate Template type is CA. From my pc on the corporate
> > domain (who can connect on port 636 using ldp.exe), the type is Root
> > Certification Authority.
> >
> > Can someone give me the nail I need to finish building this house?
> > Thanks.
>
> Check out this link for all the LDAPS troubleshooting steps you need
> http://support.microsoft.com/kb/938703.
>
Top