Configuring secure connection to LDAP for Active Directory authentication

By default, LDAP connections are not secure, however by using SSL/TLS you can configure a secure connection to i2 Explore for iBase.

Configuring secure LDAP connection

If you chose Active Directory as the authentication mode during installation, you will have been prompted to specify whether to use SSL for the LDAP connection.

If you check the option to enable LDAP SSL Connection, or have set the LDAP_SSL_CONNECTION property to true within the variables.conf, you need to configure a secure connection within your LDAP server.

How you approach this depends on whether you provided certificates yourself or rely on the generated certificates.

See the Server certificate section in the document Installing i2 Explore for iBase and Configuring TLS connection to iBase for information about installing certificates.

To enable SSL/TLS for LDAP connections, you need to create and install an LDAPS certificate on your Active Directory server.

These steps must be followed on the Active Directory Controller (ADC) where you want to enable LDAPS, running the commands as an Administrator.

Creating the certificate request

  • Firstly you need a ldaps-dc.inf file to define the certificate request.

    Below is an example .inf file that you can use as a template, replacing the placeholders with your own values:

    • <ADC_FQDN> with the fully qualified domain name (FQDN) of the Active Directory Controller

      • For example adc.exampledomain.com

[Version]

Signature="$Windows NT$

[NewRequest]

Subject = "CN=<ADC_FQDN>"
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

  • Next you create the certificate request using the certreq command-line tool:

certreq -new ldaps-dc.inf ldaps-dc.csr

This creates and registers a generated private key within the ADC and creates the certificate request file ldaps-dc.csr.

Signing the certificate request with a provided certificate authority (CA)

If you have provided your own CA, submit the request to your CA to obtain a signed certificate.

Submit the ldaps-dc.csr file to your CA according to your organization's procedures and retrieve the signed certificate file which we will call ldaps-dc.cer for the next steps.

Signing the certificate request with the generated external CA

Although this is possible it is not recommended for production environments.

If you did not provide certificates, you can sign the certificate request with the generated external CA created during deployment.

To do this you will have successfully installed and deployed Explore for iBase without LDAP SSL Connection, and subsequently decided to secure the LDAP connection.

  • Locate the generated external CA certificate and private key files:

    • <installation_location>/explore-for-ibase/analyze-deployment-tooling/environment-secrets/generated-secrets/certificates/externalCA/CA.cer

    • <installation_location>/explore-for-ibase/analyze-deployment-tooling/environment-secrets/generated-secrets/certificates/externalCA/CA.key

  • Use these to sign the ldaps-dc.csr file to create the signed certificate ldaps-dc.cer:

    You will need access to the openssl tool to run this command. This can be found in the Windows Subsystem for Linux (WSL) or by installing a Windows build of openssl.

    • Create an extensions file ldaps-dc-extensions.conf with the following content, replacing the placeholders with your own values:

      • <ADC_FQDN> with the fully qualified domain name (FQDN) of the Active Directory Controller

        • For example adc.exampledomain.com

      • <DOMAIN_NАME> with your domain name

        • For example exampledomain.com

      [v3_req]
  keyUsage = digitalSignature, keyEncipherment
  extendedKeyUsage = serverAuth
  subjectAltName = @alt_names

  [alt_names]
  DNS.1 = <ADC_FQDN>
  DNS.2 = <DOMAIN_NАME>

    • Run the following command to sign the certificate request:

    openssl x509 -req -in ldaps-dc.csr -CA CA.cer -CAkey CA.key -CAcreateserial -out ldaps-dc.cer -days 365 -extensions v3_req -extfile ldaps-dc-extensions.conf

    You can to adjust the -days parameter to suit your requirements.

Installing the signed certificate

Finally, install the signed certificate on the Active Directory Controller by following these steps:

  1. Open Manage Computer Certificates settings by running the certlm.msc command.

  2. Expand Personal > Certificates.

  3. Right-click Certificates, select All Tasks > Import...

  4. In the Certificate Import Wizard, click Next.

  5. Browse to the location of the signed certificate file ldaps-dc.cer, select it, and click Next.

  6. Ensure that the certificate store is set to Personal, and click Next.

  7. Click Finish to complete the import.

  8. A message displays indicating that the import was successful.

Restart the Active Directory Controller (ADC)

This step is required to enable LDAPS on the Active Directory Controller.