[ldap] Re: ldap ssl MS AD

Dustin Puryear Wed, 25 Nov 2009 06:50:27 -0800

If you connect to port 636/tcp on a DC via ldp.exe then SSL is enabled. 

-----Original Message-----
From: [email protected] 
[mailto:[email protected]] On Behalf Of Simon Walter
Sent: Tuesday, November 24, 2009 7:07 PM
To: [email protected]
Subject: [ldap] Re: ldap ssl MS AD


Dustin Puryear wrote:
> Hi Michael-
>
> I also suggest using ldp.exe on the Windows DC *first* to test connectivity. 
> Then try from an external host, like the Linux server below.
>   
I should have mentioned that I've done that as well. I was not able to 
determine if indeed it did connect via SSL. Here is the output of 
ldp.exe connecting to adserver at port 636. As per the MS instructions, 
they don't say to check the SSL option when setting up the connection. 
So, I'm not even sure if it is working. Though port 636 is supposed to 
be SSL.

ld = ldap_open("adserver", 636);
Established connection to adserver.
Retrieving base DSA information...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
 >> Dn:
    1> currentTime: 11/25/2009 9:54:15 Tokyo Standard Time Tokyo 
Standard Time;
    1> subschemaSubentry: 
CN=Aggregate,CN=Schema,CN=Configuration,DC=mydomain,DC=com;
    1> dsServiceName: CN=NTDS 
Settings,CN=adserver,CN=Servers,CN=YSE,CN=Sites,CN=Configuration,DC=mydomain,DC=com;
 

    5> namingContexts: DC=mydomain,DC=com; 
CN=Configuration,DC=mydomain,DC=com; 
CN=Schema,CN=Configuration,DC=mydomain,DC=com; 
DC=DomainDnsZones,DC=mydomain,DC=com; DC=ForestDnsZones,DC=mydomain,DC=com;
    1> defaultNamingContext: DC=mydomain,DC=com;
    1> schemaNamingContext: CN=Schema,CN=Configuration,DC=mydomain,DC=com;
    1> configurationNamingContext: CN=Configuration,DC=mydomain,DC=com;
    1> rootDomainNamingContext: DC=mydomain,DC=com;
    26> supportedControl: 1.2.840.113556.1.4.319; 
1.2.840.113556.1.4.801; 1.2.840.113556.1.4.473; 1.2.840.113556.1.4.528; 
1.2.840.113556.1.4.417; 1.2.840.113556.1.4.619; 1.2.840.113556.1.4.841; 
1.2.840.113556.1.4.529; 1.2.840.113556.1.4.805; 1.2.840.113556.1.4.521; 
1.2.840.113556.1.4.970; 1.2.840.113556.1.4.1338; 1.2.840.113556.1.4.474; 
1.2.840.113556.1.4.1339; 1.2.840.113556.1.4.1340; 
1.2.840.113556.1.4.1413; 2.16.840.1.113730.3.4.9; 
2.16.840.1.113730.3.4.10; 1.2.840.113556.1.4.1504; 
1.2.840.113556.1.4.1852; 1.2.840.113556.1.4.802; 
1.2.840.113556.1.4.1907; 1.2.840.113556.1.4.1948; 
1.2.840.113556.1.4.1974; 1.2.840.113556.1.4.1341; 1.2.840.113556.1.4.2026;
    2> supportedLDAPVersion: 3; 2;
    12> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv; 
MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; 
MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; 
MaxNotificationPerConn; MaxValRange;
    1> highestCommittedUSN: 1053007;
    4> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
    1> dnsHostName: adserver.mydomain.com;
    1> ldapServiceName: mydomain.com:[email protected];
    1> serverName: 
CN=adserver,CN=Servers,CN=YSE,CN=Sites,CN=Configuration,DC=mydomain,DC=com;
    4> supportedCapabilities: 1.2.840.113556.1.4.800; 
1.2.840.113556.1.4.1670; 1.2.840.113556.1.4.1791; 1.2.840.113556.1.4.1935;
    1> isSynchronized: TRUE;
    1> isGlobalCatalogReady: TRUE;
    1> domainFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 );
    1> forestFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 );
    1> domainControllerFunctionality: 3;
-----------
 Here is the same connection with the SSL option checked (also using 
port 636):

ld = ldap_sslinit("adserver", 636, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 
LDAP_VERSION3);
Error <0x0> = ldap_connect(hLdap, NULL);
Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 128 bits
Established connection to adserver.
Retrieving base DSA information...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
 >> Dn:
    1> currentTime: 11/25/2009 10:0:38 Tokyo Standard Time Tokyo 
Standard Time;
    1> subschemaSubentry: 
CN=Aggregate,CN=Schema,CN=Configuration,DC=mydomain,DC=com;
    1> dsServiceName: CN=NTDS 
Settings,CN=adserver,CN=Servers,CN=YSE,CN=Sites,CN=Configuration,DC=mydomain,DC=com;
 

    5> namingContexts: DC=mydomain,DC=com; 
CN=Configuration,DC=mydomain,DC=com; 
CN=Schema,CN=Configuration,DC=mydomain,DC=com; 
DC=DomainDnsZones,DC=mydomain,DC=com; DC=ForestDnsZones,DC=mydomain,DC=com;
    1> defaultNamingContext: DC=mydomain,DC=com;
    1> schemaNamingContext: CN=Schema,CN=Configuration,DC=mydomain,DC=com;
    1> configurationNamingContext: CN=Configuration,DC=mydomain,DC=com;
    1> rootDomainNamingContext: DC=mydomain,DC=com;
    26> supportedControl: 1.2.840.113556.1.4.319; 
1.2.840.113556.1.4.801; 1.2.840.113556.1.4.473; 1.2.840.113556.1.4.528; 
1.2.840.113556.1.4.417; 1.2.840.113556.1.4.619; 1.2.840.113556.1.4.841; 
1.2.840.113556.1.4.529; 1.2.840.113556.1.4.805; 1.2.840.113556.1.4.521; 
1.2.840.113556.1.4.970; 1.2.840.113556.1.4.1338; 1.2.840.113556.1.4.474; 
1.2.840.113556.1.4.1339; 1.2.840.113556.1.4.1340; 
1.2.840.113556.1.4.1413; 2.16.840.1.113730.3.4.9; 
2.16.840.1.113730.3.4.10; 1.2.840.113556.1.4.1504; 
1.2.840.113556.1.4.1852; 1.2.840.113556.1.4.802; 
1.2.840.113556.1.4.1907; 1.2.840.113556.1.4.1948; 
1.2.840.113556.1.4.1974; 1.2.840.113556.1.4.1341; 1.2.840.113556.1.4.2026;
    2> supportedLDAPVersion: 3; 2;
    12> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv; 
MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; 
MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; 
MaxNotificationPerConn; MaxValRange;
    1> highestCommittedUSN: 1053046;
    4> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
    1> dnsHostName: adserver.mydomain.com;
    1> ldapServiceName: mydomain.com:[email protected];
    1> serverName: 
CN=adserver,CN=Servers,CN=YSE,CN=Sites,CN=Configuration,DC=mydomain,DC=com;
    4> supportedCapabilities: 1.2.840.113556.1.4.800; 
1.2.840.113556.1.4.1670; 1.2.840.113556.1.4.1791; 1.2.840.113556.1.4.1935;
    1> isSynchronized: TRUE;
    1> isGlobalCatalogReady: TRUE;
    1> domainFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 );
    1> forestFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 );
    1> domainControllerFunctionality: 3;
-----------

Michael Ströder wrote:
> Option -x (to enforce simple bind) is missing in the second command line.
>
>   
As far as I know, the -x is for non-SSL/TLS connections. Is that 
correct? Sure I am able to connect with it. I think I do not want to use 
a simple bind. I think I want to use SASL. I'm guessing that OpenLDAP 
uses SASL to implement SSL/TLS. Please correct me if I'm wrong.

Thanks for your help!

Simon

[ldap] Re: ldap ssl MS AD

Reply via email to