Step-by-step guide for setting up LDAPS (LDAP over SSL)

The guide is split into 3 sections :

  1. Create a Windows Server VM in Azure
  2. Setup LDAP using AD LDS (Active Directory Lightweight Directory Services)
  3. Setup LDAPS (LDAP over SSL)

NOTE : The following steps are similar for Windows Server 2008, 2012, 2012 R2 , 2016. In this article, we will use Windows Server 2012 R2.

Create a Windows Server VM in Azure

Create a VM named “ldapstest” Windows Server 2012 R2 Datacenter Standard DS12 using the instructions here: Create a Windows virtual machine with the Azure portal
Connect to the VM ldapstest using Remote Desktop Connection.

Setup LDAP using AD LDS

Now let us add AD LDS in our VM ldapstest
Click on Start –> Server Manager –> Add Roles and Features. Click Next.

v1

Choose Role-based or feature-based installation. Click Next.

v2

Select ldapstest server from the server pool. Click Next.

v3

Mark Active Directory Lightweight Directory Services from the list of roles and click Next.

v4

From the list of features, choose nothing – just click Next.

v5

Click Next.

v6

Click Install to start installation.

v7

Once installation is complete, click Close.

v8

Now we have successfully set up AD LDS Role. Let us create a new AD LDS Instance “CONTOSO” using the wizard. Click the “Run the Active Directory Lightweight Directory Services Setup Wizard” in the above screen. And then Click Close.

v9

Choose Unique Instance since we are setting it up for the first time.

v10

Type “CONTOSO” in Instance Name and click Next.

v12

By Default, LDAP Port is 389 and LDAPS port is 636, let us choose the default values – click Next.

v13

Create a new Application Directory Partition named “CN=MRS,DC=CONTOSO,DC=COM”. Click Next.

v14

Using the default values for storage location of ADLDS files- Click Next.

v15

Choosing Network Service Account for running the AD LDS Service.

v16

You will receive a prompt warning about data replication. Since we are using a single LDAP Server, we can click Yes.

v17

Choosing the currently logged on user as an administrator for the AD LDS Instance. Click Next.

v18

Mark all the required LDIF files to import (Here we are marking all files). Click Next.

v19

Verify that all the selections are right and then Click Next to confirm Installation.

v20

Once the instance is setup successfully, click Finish.

v21

Now let us try to connect to the AD LDS Instance CONTOSO using ADSI Edit.
Click on Start –> Search “ADSI Edit” and open it.
Right Click on ADSI Edit Folder (on the left pane) and choose Connect To.. . Fill the following values and Click OK.

v23

If the connection is successful, we will be able to browse the Directory CN=MRS,DC=CONTOSO,DC=COM :

v24

Setup LDAPS (LDAP over SSL)

The Certificate to be used for LDAPS must satisfy the following 3 requirements:
• Certificate must be valid for the purpose of Server Authentication. This means that it must also contains the Server Authentication object identifier (OID): 1.3.6.1.5.5.7.3.1
• The Subject name or the first name in the Subject Alternative Name (SAN) must match the Fully Qualified Domain Name (FQDN) of the host machine, such as Subject:CN=contosoldaps. For more information, see How to add a Subject Alternative Name to a secure LDAP certificate .
• The host machine account must have access to the private key.

Now, let’s use Active Directory Certificate Services to create a certificate to be used for LDAPS. If you already have a certificate satisfying the above requirements, you can skip this step.

Click on Start –> Server Manager –> Add Roles and Features. Click Next.

v25

Choose Role-based or feature-based installation. Click Next.

v26

Select ldapstest server from the server pool. Click Next.

v27

Choose Active Directory Certificate Services from the list of roles and click Next.

v28

Choose nothing from the list of features and click Next.

v29

Click Next.

v30

Mark “Certificate Authority” from the list of roles and click Next.

v31

Click Install to confirm installation.

v32

Once installation is complete, Click Close.

v33

Now let’s create a certificate using AD CS Configuration Wizard. To open the wizard, click on “Configure Active Directory Certificate Services on the destination server” in the above screen. And then click Close. We can use the currently logged on user azureuser to configure role services since it belongs to the local Administrators group. Click Next.

v34

Choose Certification Authority from the list of roles. Click Next.

v35

Since this is a local box setup without a domain, we are going to choose a Standalone CA. Click Next.

v36

Choosing Root CA as the type of CA, click Next.

v37

Since we do not possess a private key – let’s create a new one. Click Next.

v38

Choosing SHA1 as the Hash algorithm. Click Next.

UPDATE : Recommended to select the most recent hashing algorithm since SHA-1 deprecation countdown

v39

The name of the CA must match the Hostname (requirement number 2). Enter “LDAPSTEST” and Click Next.

v40

Specifying validity period of the certificate. Choosing Default 5 years. Click Next.

v41

Choosing default database locations, click Next.

v42

Click Configure to confirm.

v43

Once the configuration is successful/complete. Click Close.

v44

Now let us view the generated certificate.

Click on Start à Search “Manage Computer Certificates” and open it.

Click on Personal Certificates and verify that the certificate “LDAPSTEST” is present:

v45

Now to fulfill the third requirement, let us ensure host machine account has access to the private key. Using the Certutil utility, find the Unique Container Name. Open Command Prompt in Administrator mode and run the following command: certutil -verifystore MY

v46

The private key will be present in the following location C:\ProgramData\Microsoft\Crypto\Keys\<UniqueContainerName>

Right Click C:\ProgramData\Microsoft\Crypto\Keys\874cb49a696726e9f435c1888b69f317_d3e61130-4cd8-4288-a344-7784647ff8c4 and click properties –> Security and add read permissions for NETWORK SERVICE.

v47

We need to import this certificate into JRE key store since our certificate “CN=LDAPSTEST” is not signed by any by any trusted Certification Authority(CA) which is configured in you JRE keystore e.g Verisign, Thwate, goDaddy or entrust etc. In order to import this certificate using the keytool utility, let us first export this cert as a .CER from the machine certificate store:

Click Start –> Search “Manage Computer Certificates” and open it. Open personal, right click LDAPSTEST cert and click “Export”.

v48

This opens the Certificate Export Wizard. Click Next.

v49

Do not export the private key. Click Next.

v50

Choose Base-64 encoded X .509 file format. Click Next.

v51

Exporting the .CER to Desktop. Click Next.

v52

Click Finish to complete the certificate export.

v53

Certificate is now successfully exported to “C:\Users\azureuser\Desktop\ldapstest.cer”.

Now we shall import it to JRE Keystore using the keytool command present in this location:

C:\Program Files\Java\jre1.8.0_92\bin\keytool.exe.

Open Command Prompt in administrator mode. Navigate to “C:\Program Files\Java\jre1.8.0_92\bin\” and run the following command:

keytool -importcert -alias "ldapstest" -keystore "C:\Program Files\Java\jre1.8.0_92\lib\security\cacerts" -storepass changeit -file "C:\Users\azureuser\Desktop\ldapstest.cer"
v54

Type “yes” in the Trust this certificate prompt.

Once certificate is successfully added to the JRE keystore, we can connect to the LDAP server over SSL.

Now let us try to connect to LDAP Server (with and without SSL) using the ldp.exe tool.

Connection strings for

LDAP:\\ldapstest:389

LDAPS:\\ldapstest:636

Click on Start –> Search ldp.exe –> Connection and fill in the following parameters and click OK to connect:

v55

If Connection is successful, you will see the following message in the ldp.exe tool:

v56

To Connect to LDAPS (LDAP over SSL), use port 636 and mark SSL. Click OK to connect.

v57

If connection is successful, you will see the following message in the ldp.exe tool:

v58