My goal is to enable AD auth on ovirt4. It requires ldaps on my AD. I've found a lot of instructions how to enable ldap over ssl using self-signed cert (e.g. https://support.microsoft.com/en-us/help/321051/how-to-enable-ldap-over-ssl-with-a-third-party-certification-authority), but they all describe a single domain controller case. How shall I handle situation with two domain controllers? Shall I create certs on each machine or maybe it is reasonable to create a wildcard cert?
Asked
Active
Viewed 3,243 times
1
-
Someone answered your question and you wrote back "Thanks a lot! It works!". Why didn't you click on the gray check mark to accept the answer? Your supposed to acknowledge the answerer in this way when the answer works for you, or otherwise people might become unhappy with you. Just my two cents.... – John R Smith May 11 '17 at 16:29
1 Answers
0
Yes, you need to create SSL certificates on both machines. Both domain controllers require SSL certificates because if you connect to the domain name rather than the specific domain controller host name, you could get round-robined to either domain controller so therefore you will need certificates on both of them. Avoid using wildcard certificates, unless you are in a lab scenario, in the PKI world those are considered a major security risk. Furthermore, wildcard certificates are a no-go for domain controller too, because the Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in the SSL certificate in one of the following places:
- The Common Name (CN) in the Subject field.
- DNS entry in the Subject Alternative Name extension.
Please see MS KB 321051 for further details.
T-Heron
- 5,385
- 7
- 26
- 52
-
As we've answered your question please mark it as such which will verify it to others in the community; otherwise please let us know if any. – T-Heron May 10 '17 at 01:39