Secure LDAP Authentication with Active Directory

Question

We are working on a web project where we need to be able to bind to an active directory domain and then pass the user's credentials to the domain to make sure the user has successfully authenticated before we allow them access to one of our web applications. We have HTTPS working fine for the front end to accept the credentials. The problem we are running into is for the connection between our server and the active directory server. The active directory server is maintained by a different section of our IT department and we do not have access to it. This active directory server is using a self-signed certificate and does not have a fully qualified domain name (i.e. people.local).

I have read many places that talk about setting the TLS_REQCERT variable to never; however, I am worried about man-in-the-middle attacks and do not feel comfortable leaving the setting set this way. I have also read some articles that talk about being able to query the active directory server from a Linux command line, view the self-signed certificate, save the self-signed certificate to the local Linux server, and then use this certificate for the trust so that you do not have to set TLS_REQCERT to never. I am not sure how I can go about viewing and saving the self-signed certificate from the Linux command line. I have some CentOS servers that we are running that we need to make this operational on.

Any help that you can provide would be greatly appreciated. Thanks in advance.

Answer 1

I have read many places that talk about setting the TLS_REQCERT variable to never; however, I am worried about man-in-the-middle attacks and do not feel comfortable leaving the setting set this way.

You are to be commended both for thinking about security and for understanding the implications of setting TLS_REQCERT.

I have also read some articles that talk about being able to query the active directory server from a Linux command line, view the self-signed certificate, save the self-signed certificate to the local Linux server...

You can use the openssl tool to do this. Assuming that you can access Active Directory via LDAP-over-SSL on port 636, you could do this:

openssl s_client -connect server.example.com:636 > output < /dev/null

And when the command completes, you'll find that output contains, among other things, the PEM encoded certificate:

00000003)
---
Certificate chain
 0 s:/CN=dc1.example.com
   i:/DC=com/DC=example/DC=dc1/CN=example-DC1-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGjDCCBXSgAwIBAgIKOxasfwAAAAAADDANBgkqhkiG9w0BAQUFADBaMRMwEQYK
...
-----END CERTIFICATE-----
...

You can remove everything before the BEGIN CERTIFICATE line and everything after the END CERTIFICATE LINE and you should have what you're looking for.

It's also possible that the AD server is not using a self-signed certificate but is instead using a certificate issued by the AD certificate authority. If this is the case, it might be easier just to ask the AD folks for the CA certificate.

Answer 2

I recommend to have a dedicated certificate authority server in your organization. You will use this server to issue certificates for all servers in your company. To see the information from a certificate, a key or a certificate request, you can use openssl. See: http://www.openssl.org/support/faq.html and http://www.madboa.com/geek/openssl/

The certificate issued for your LDAP server or, preferably, the root certificate should be imported in the SSL keystore of your application.