Configuring LDAPS

When using LDAP authentication, a URL starting with ldaps:// can be specified to cause DiveLine to negotiate a secure TLS Transport Layer Security connection before sending passwords to the LDAP server.

When configuring LDAPS on Windows, note the following:

• The SSL/TLS certificate presented by the LDAP server must be considered trusted by Windows. If it is not, the logon fails. The DiveLine Events log indicates that the cause is the LDAP server is down or the certificate was rejected. In some Active Directory or Windows Domain environments, the necessary certificates can be distributed and trusted automatically.
• To troubleshoot LDAPS connections, you can tell DiveLine to not attempt Certificate Verification, blindly accepting any and all certificates. To do this, manually add the following line to the main block of the atlcfg.cfg file:
  • ldaps_debug_skip_cert_verification="true"
• Then start a new ProDiver session.
• CAUTION: This creates a security risk from man-in-the-middle attacks and should be undone at the conclusion of your troubleshooting.
• If LDAPS only works with this switch enabled, then there is a problem with the certificate. It might be one of the following:
• The certificate is expired.
• The certificate common name does not match the name of the machine specified as the LDAP server. Note that "machine" and "machine.domain.com" do not match.
• The Certificate Authority (CA) is not trusted. This is the case for self-signed certificates or certificates signed by a corporate CA where the CA certificate has not been imported.
• To install a new Certificate Authority (CA) certificate in Windows, use the Certificates snap-in of the Microsoft Management Console (mmc.exe). See http://msdn.microsoft.com/en-us/library/ms788967.aspx for instructions on starting that interface and importing the third-party root certificate.

When configuring LDAPS for Linux, note the following:

• It is possible to modify atlcfg.cfg to require encryption through STARTTLS on the normal port by setting ldap_tls="always". Use of an ordinary ldap:// URI is then encrypted.
• Other options:
• ldap_tls="none"—Do not attempt STARTTLS; it is treated as if the option is not present.
• ldap_tls="optional"—Encryption is not required. Never use this except for debugging.
• The TLS certificate presented by the LDAP server must be trusted. The /etc/ldap/ldap.conf file specifies, using its TLS_CACERT attribute, a file containing the trusted Certificate Authorities. Position the certificate here to enable both STARTTLS and LDAPS.
• It is also possible to temporarily set "TLS_REQCERT never" in the LDAP configuration file during debugging to see if the certificate is in fact the problem.
• CAUTION: This should not be left set, however, because it disables certificate checking and protection from man-in-the-middle attacks.
• Verification of the TLS certificate settings can also be done from the command-line, using the ldapsearch tool. For example:
• TLS on LDAPS port:
• ldapsearch -x -H ldaps://ldap1.dimins.com -b "ou=people,dc=dimins,dc=com" uid=joe
• STARTTLS on normal LDAP port:
• ldapsearch -ZZ -x -H ldap://ldap1.dimins.com -b "ou=people,dc=dimins,dc=com" uid=joe
• You see a Connection error message if the certificate is rejected or if the network connection cannot be made.