• How to enable LDAP over SSL with a thirdparty certification authority


    http://support.microsoft.com/default.aspx?scid=kb;en-us;321051

     

    There is no user interface for configuring LDAPS. Installing a valid certificate on a domain controller permits the LDAP service to listen for, and automatically accept, SSL connections for both LDAP and global catalog traffic.

    Back to the top

    Requirements for an LDAPS certificate

    To enable LDAPS, you must install a certificate that meets the following requirements:

    • The LDAPS certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store).
    • A private key that matches the certificate is present in the Local Computer's store and is correctly associated with the certificate. The private key must not have strong private key protection enabled.
    • The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (also known as OID).
    • The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places:
      • The Common Name (CN) in the Subject field.
      • DNS entry in the Subject Alternative Name extension.
    • The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
    • You must use the Schannel cryptographic service provider (CSP) to generate the key.

    For more information about establishing trust for certificates, see the "Policies to establish trust of root certification authorities" topic in Windows 2000 Server Help.

    Back to the top

    Creating the certificate request

    Any utility or application that creates a valid PKCS #10 request can be used to form the SSL certificate request. Use Certreq to form the request.

    Note The commands that are used in this article rely on the 2003 version of Certreq. In order to use the steps in this article on a Windows 2000 server, copy certreq.exe and certcli.dll from a Windows 2003 server into a temporary directory on the Windows 2000 server.

    Certreq.exe requires a text instruction file to generate an appropriate X.509 certificate request for a domain controller. You can create this file by using your preferred ASCII text editor. Save the file as an .inf file to any folder on your hard drive.

    To request a Server Authentication certificate that is suitable for LDAPS, follow these steps:

    1.     Create the .inf file. Following is an example .inf file that can be used to create the certificate request.

    ;----------------- request.inf -----------------

    [Version]

    Signature="$Windows NT$

    [NewRequest]

    Subject = "CN=<DC FQDN >" ; replace with the FQDN of the DC
    KeySpec = 1
    KeyLength = 1024
    ; Can be 1024, 2048, 4096, 8192, or 16384.
    ; Larger key sizes are more secure, but have
    ; a greater impact on performance.
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0

    [EnhancedKeyUsageExtension]

    OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

    ;-----------------------------------------------

    Cut and paste the sample file into a new text file named Request.inf. Provide the fully qualified DNS name of the domain controller in the request.

    Note Some third-party certification authorities may require additional information in the Subject parameter. Such information includes an e-mail address (E), organizational unit (OU), organization (O), locality or city (L), state or province (S), and country or region (C). You can append this information to the Subject name (CN) in the Request.inf file. For example: Subject="E=admin@contoso.com, CN=<DC fqdn>, OU=Servers, O=Contoso, L=Redmond, S=Washington, C=US."

    2.     Create the request file. To do this, type the following command at the command prompt, and then press ENTER:

    certreq -new request.inf request.req

    A new file called Request.req is created. This is the base64-encoded request file.

    3.     Submit the request to a CA. You can submit the request to a Microsoft CA or to a third-party CA.

    4.     Retrieve the certificate that is issued, and then save the certificate as Certnew.cer in the same folder as the request file. To do this, follow these steps:

    a.     Create a new file called Certnew.cer.

    b.     Open the file in Notepad, paste the encoded certificate into the file, and then save the file.

    Note The saved certificate must be encoded as base64. Some third-party CAs return the issued certificate to the requestor as base64-encoded text in an e-mail message.

    5.     Accept the issued certificate. To do this, type the following command at the command prompt, and then press ENTER:

    certreq -accept certnew.cer

    6.     Verify that the certificate is installed in the computer's Personal store. To do this, follow these steps:

     .      Start Microsoft Management Console (MMC).

    a.     Add the Certificates snap-in that manages certificates on the local computer.

    b.     Expand Certificates (Local Computer), expand Personal, and then expand Certificates.

    A new certificate should exist in the Personal store. In the Certificate Properties dialog box, the intended purpose displayed is Server Authentication. This certificate is issued to the computer's fully qualified host name.

    7.     Restart the domain controller.

    For more information about creating the certificate request, see the following Advanced Certificate Enrollment and Management white paper. To view this white paper, visit the following Microsoft Web site:

    http://technet.microsoft.com/en-us/library/cc782583.aspx (http://technet.microsoft.com/en-us/library/cc782583.aspx)

    Back to the top

    Verifying an LDAPS connection

    After a certificate is installed, follow these steps to verify that LDAPS is enabled:

    1.     Start the Active Directory Administration Tool (Ldp.exe).

    Note This program is installed in the Windows 2000 Support Tools.

    2.     On the Connection menu, click Connect.

    3.     Type the name of the domain controller to which you want to connect.

    4.     Type 636 as the port number.

    5.     Click OK.

    RootDSE information should print in the right pane, indicating a successful connection.

    Back to the top

    Possible issues

    • Start TLS extended request
      LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged. Windows 2000 does not support the Start TLS extended-request functionality.
    • Multiple SSL certificates
      Schannel, the Microsoft SSL provider, selects the first valid certificate that it finds in the local computer store. If there are multiple valid certificates available in the local computer store, Schannel may not select the correct certificate.
    • Pre-SP3 SSL certificate caching issue
      If an existing LDAPS certificate is replaced with another certificate, either through a renewal process or because the issuing CA has changed, the server must be restarted for Schannel to use the new certificate. The SSL provider in Windows 2000 caches the LDAPS certificate and does not detect the change until the domain controller is restarted. This has been corrected in Service Pack 3 for Windows 2000.

    Back to the top

    Windows Server 2008 improvements

    The original recommendation in this article was to put certificates in the Local Machine's Personal store. Although this option is supported, you can also put certificates in the NTDS Service's Personal certificate store on Windows Server 2008 and on later versions of Active Directory Domain Services (AD DS). For more information about how to add the certificate to the NTDS service's Personal certificate store, visit the following Microsoft TechNet Web site:

    http://technet.microsoft.com/en-us/library/dd941846(WS.10).aspx (http://technet.microsoft.com/en-us/library/dd941846(WS.10).aspx)

    AD DS preferentially looks for certificates in this store over the Local Machine's store. This makes it easier to configure AD DS to use the certificate that you want it to use. This is because there might be multiple certificates in the Local Machines Personal store, and it can be difficult to predict which one is selected.

    AD DS detects when a new certificate is dropped into its certificate store and then triggers an SSL certificate update without having to restart AD DS or restart the domain controller.

    A new rootDse operation that is named renewServerCertificate can be used to manually trigger AD DS to update its SSL certificates without having to restart AD DS or restart the domain controller. This attribute can be updated using adsiedit.msc, or by importing the change in LDAP Directory Interchange Format (LDIF) using ldifde.exe. For more information on using LDIF to update this attribute, visit the following Microsoft MSDN Web site:

    http://msdn.microsoft.com/en-us/library/cc223311(v=PROT.10).aspx (http://msdn.microsoft.com/en-us/library/cc223311(v=PROT.10).aspx)

    Finally, if a Windows Server 2008 or a later version domain controller finds multiple certificates in its store, it automatically selects the certificate whose expiration date is furthest in the future. Then, if your current certificate is approaching its expiration date, you can drop the replacement certificate in the store, and AD DS automatically switches to use it.

    All these work for Windows Server 2008 AD DS and for 2008 Active Directory Lightweight Directory Services (AD LDS). For AD LDS, put certificates into the Personal certificate store for the service that corresponds to the AD LDS instance instead of for the NTDS service.

     

    -------------------------------------------------------

     

    如何启用 SSL 上的 LDAP 与第三方证书颁发机构

     

     

    轻型目录访问协议 (LDAP) 用于读取和写入到活动目录。默认状态下,传输不安全的 LDAP 通信。您可以通过使用安全套接字层 (SSL) 进行通信的 LDAP 机密、 安全 / 传输层安全性 (TLS) 技术。 您可以通过从 Microsoft 证书颁发机构 (CA) 或非-Microsoft CA 根据本文准则安装一个格式正确的证书来启用 LDAP 通过 SSL (LDAPS)。
    更多信息

    用于配置 LDAPS 没有用户界面。 域控制器上安装一个有效的证书允许 LDAP 服务来侦听,自动接受 SSL 连接的 LDAP 和全局编录通信。 对一个 LD...

    用于配置 LDAPS 没有用户界面。 域控制器上安装一个有效的证书允许 LDAP 服务来侦听,自动接受 SSL 连接的 LDAP 和全局编录通信。

    对一个 LDAPS 证书要求

    若要以便 LDAPS 您必须安装一个证书,以满足以下要求:
    • LDAPS 证书位于本地计算机的个人证书存储 (以编程方式称为该计算机的 MY 证书存储区)。
    • 与证书匹配的私钥是出现在本地计算机的存储区,并与证书正确关联。 私钥必须 具有强私钥保护已启用。
    • 增强型密钥用法扩展包括服务器身份验证 (1.3.6.1.5.5.7.3.1) 对象标识符 (也称为 OID)。
    • 在 Active Directory 完全合格的域名的域控制器 (例如对于 DC01.DOMAIN.COM) 必须出现在下列位置之一:
      • 在公用名 (CN) 在主题字段中。
      • 在主题备用名称的 DNS 条目扩展名。
    • 证书是由域控制器和 $ LDAPS 客户端信任的 CA 颁发的。通过配置客户端和服务器的信任根 CA 中建立信任关系是颁发 CA 链。
    • 您必须使用 Schannel 加密服务提供程序 (CSP) 来生成密钥。
    有关建立信任的证书的详细信息请参阅 Windows 2000 Server 帮助中的"策略建立信任的根证书颁发机构"主题。

    创建证书申请

    任何实用程序或创建一个有效的 PKCS # 10 请求的应用程序可用于窗体 SSL 证书申请。使用 Certreq,以形成请求。

    注意在这篇文章中使用的命令依赖于 Certreq 的 2003年版本。要使用在 Windows 2000 的服务器上的这篇文章中的步骤,certreq.exe 和 certcli.dll 从一个 Windows 2003 服务器复制到 Windows 2000 服务器上的临时目录。

    Certreq.exe 要求来生成对域控制器的相应 X.509 证书请求文本文件指令。您可以创建此文件使用您首选的 ASCII 文本编辑器。将文件另存为.inf 文件的任何文件夹在您的硬盘上。

    若要请求服务器身份验证证书,适用于 LDAPS,请按照下列步骤:
    1. 创建.inf 文件。下面是可以被用来创建证书申请的.inf 文件示例。
      -----------------request.inf-----------------

      [版本]

      签名 ="$ Windows NT $

      [NewRequest]

      主题 ="CN = < DC fqdn >"; 与 DC 的 FQDN 替换
      KeySpec = 1
      KeyLength = 1024年
      ; 可以是 1024,2048年、 4096、 8192,或 16384。
      ; 较大的密钥大小是更安全,但有
      ; 在 $ 性能上的一个更大的影响。
      可导出 = TRUE
      MachineKeySet = TRUE
      SMIME = False
      PrivateKeyArchive = FALSE
      UserProtected = FALSE
      UseExistingKeySet = FALSE
      ProviderName = Microsoft RSA SChannel 加密提供程序
      ProviderType = 12
      RequestType = PKCS10
      KeyUsage = 0xa0

      [EnhancedKeyUsageExtension]

      OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

      ;-----------------------------------------------
      剪切并粘贴到新的文本文件名为 Request.inf 的示例文件。 提供在请求中的域控制器的完全合格的 DNS 名称。

      注意某些第三方证书颁发机构可能需要在主题参数中的附加信息。 此类信息包括电子邮件地址 (E)、 组织单位 (OU)、 组织 (O)、 区域或城市 (L)、 状态或自治区 (S) 和国家/地区或地区 (C)。可以将此信息追加到 Request.inf 文件中的主题名 (CN)。例如: Subject="E=admin@contoso.com、 CN = < DC fqdn >,OU = 服务器,O = Contoso,L = 雷德蒙 S = 华盛顿,C = 美国"
    2. 创建请求文件。若要执行此操作命令提示符下键入以下命令,然后按 ENTER 键:
      certreq-新 request.inf request.req
      创建一个新的文件称为 Request.req。这是 base64 编码的请求文件。
    3. 提交给 CA 请求。您可以提交请求到 Microsoft CA 或第三方 CA。
    4. 检索向颁发的证书,然后将证书保存为 Certnew.cer 相同请求文件的文件夹中。若要这样做,请按照下列步骤操作:
      1. 创建新的文件称为 Certnew.cer。
      2. 在 $ 记事本中打开该文件、 将已编码的证书粘贴到该文件,然后保存该文件。
      注意已保存的证书必须被编码为 base64。某些第三方 ca 返回给请求者颁发的证书 base64 编码的电子邮件中的文本。
    5. 接受颁发的证书。若要执行此操作命令提示符下键入以下命令,然后按 ENTER 键:
      certreq-接受 certnew.cer
    6. 验证计算机的个人存储区中安装了证书。若要这样做,请按照下列步骤操作:
      1. 启动 Microsoft 管理控制台 (MMC)。
      2. 添加证书管理单元来管理本地计算机上的证书。
      3. 展开 证书 (本地计算机),展开 个人,然后再展开 证书
      在个人存储区中应存在新的证书。在 证书属性 对话框中显示的预期的目的是 服务器身份验证。此证书颁发给计算机的完全合格的主机名。
    7. 重新启动域控制器。
    有关创建证书申请的详细信息请参阅下面的高级证书注册和管理白皮书。 若要访问此白皮书请访问下面的 Microsoft 网站:
    http://technet.microsoft.com/en-us/library/cc782583.aspx (http://technet.microsoft.com/en-us/library/cc782583.aspx)
     

    验证一个 LDAPS 连接

    已安装了证书后,请按照下列步骤以验证启用了 LDAPS 操作:
    1. 启动 Active Directory 管理工具 (Ldp.exe)。

      注意在 Windows 2000 支持工具安装此程序。
    2. 连接 菜单上单击 连接
    3. 键入您要连接的域控制器的名称。
    4. 键入 636 作为端口号。
    5. 单击 确定

      连接成功,该值指示在右窗格中,应打印 RootDSE 信息。

    可能出现的问题

    • 启动 TLS 扩展的请求
      LDAPS 通信是通过端口 TCP 636。LDAPS 发送到全局编录服务器的通信是通过 TCP 3269。连接到端口 636 或 3269 时, SSL/TLS 协商之前交换任何 LDAP 通信。Windows 2000 不支持启动 TLS 扩展请求功能。
    • 多个 SSL 证书
      Schannel,Microsoft SSL 提供程序选择本地计算机存储中找到的第一个有效证书。如果有多个有效的证书保存在本地计算机存储中,Schannel 可能不会选择正确的证书。
    • 缓存问题的 SP3 之前的 SSL 证书
      如果现有 LDAPS 证书将被替换为通过续订过程的另一个证书,或者因为在颁发 CA 已更改,则必须重新启动服务器 Schannel 若要使用新的证书。 在 Windows 2000 中的 SSL 提供程序缓存 LDAPS 证书,并在重新启动域控制器之前没有检测到更改。这已经在 Windows 2000 Service Pack 3 中更正。

    Windows Server 2008 的改进

    在这篇文章中,原始建议是将证书放入本地计算机的个人存储区。尽管支持此选项,您也可使证书 NTDS 服务的个人证书存储区中的 Active Directory 域服务 (AD DS) 的更高版本上和 Windows Server 2008 上。有关如何将证书添加到 NTDS 服务的个人证书存储区的详细信息请访问以下 Microsoft TechNet 网站:
    http://technet.microsoft.com/en-us/library/dd941846(WS.10).aspx (http://technet.microsoft.com/en-us/library/dd941846(WS.10).aspx)
    AD DS 优先于本地计算机的存储区查找该存储区中的证书。这便于更方便地配置为使用要使用您的证书的 AD DS。这是因为在本地计算机个人存储中可能有多个证书,并将很难预测哪一项被选中。

    新的证书被放入其证书存储区,然后触发而无需重新启动 AD DS 或重新启动域控制器的 SSL 证书更新时,会检测到 AD DS。

    新的名为 reviewServerCertificate rootDse 操作可用于手动触发更新其 SSL 证书,而无需重新启动 AD DS 或重新启动域控制器的 AD DS。

    最后,如果 Windows Server 2008 或更高版本的域控制器在存储中找到多个证书,它自动选择的证书的到期日期是在将来最远。然后,如果您当前的证书已接近其到期日期,可以放替换证书存储区中, 和 AD DS 自动切换到使用它。

    所有这些工作的 Windows Server 2008 AD DS 和 2008 Active Directory 轻型目录服务 (AD LDS)。AD LDS 的证书放入对应的服务的个人证书存储区,到 AD LDS 实例而不是为 NTDS 服务。

     

  • 相关阅读:
    用python抓取百度指数 以及 用cxfreeze打包的经验
    selenium中send_keys的使用
    python之文件调用
    学习python之selenium
    学习python图像识别
    解决方案: 运行ugarchroll,报错Error in try(.C("c_qstd", p = as.double(p), mu = as.double(mu), sigma = as.double(sigma), : NA/NaN/Inf in foreign function call (arg 3)
    int 转 const char*
    均值,方差,协方差,协方差矩阵,特征值,特征向量
    OpenCv 图片上添加汉字
    OpenCV获取与设置像素点的值的几个方法
  • 原文地址:https://www.cnblogs.com/kungfupanda/p/2267743.html
Copyright © 2020-2023  润新知