Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2215
Views
0
Helpful
1
Replies

Setting LDAP connection with Certificate

Go to solution
michelegarribba
Level 1
Level 1

‎03-09-2015 07:37 AM

Hi all,

 

i need to setup LDAP connetction to verify recipient email address in incoming.

LDAP is protected by SSL,do i need a certificate?

how can i get a certificate? i mean what is the right procedure to request a certificate to CA , internal one that manages Domain Controllers,and install it in ironport ESA?

 

thanks a lot

smaikol

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Johan Castro Fernandez
Level 3
Level 3

‎03-09-2015 10:09 PM

Hi Smaikol,

 

On thicase to use the LDAPS (LDAP over SSL), the Microsoft Server will need to meet the requirements you just mentioned, it will need an SSL certificate from a third party CA (Certificate authority)

Requirements for an LDAPS certificate

To enable LDAPS, you must install a certificate that meets the following requirements:

  • The LDAPS certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store).
  • A private key that matches the certificate is present in the Local Computer's store and is correctly associated with the certificate. The private key must not have strong private key protection enabled.
  • The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (also known as OID).
  • The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places:
    • The Common Name (CN) in the Subject field.
    • DNS entry in the Subject Alternative Name extension.
  • The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
  • You must use the Schannel cryptographic service provider (CSP) to generate the key.

 

Now to get the pertinent certificate you will need to create a request, you will be able to find those instructions and further information within the following link:

 

-   http://support.microsoft.com/kb/321051/en-us

 

Let me know how it works out!

 

Please don't forget to rate and mark as correct the helpful Post!

 

David Castro.

 

Best regards.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
David Johan Castro Fernandez
Level 3
Level 3

‎03-09-2015 10:09 PM

Hi Smaikol,

 

On thicase to use the LDAPS (LDAP over SSL), the Microsoft Server will need to meet the requirements you just mentioned, it will need an SSL certificate from a third party CA (Certificate authority)

Requirements for an LDAPS certificate

To enable LDAPS, you must install a certificate that meets the following requirements:

  • The LDAPS certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store).
  • A private key that matches the certificate is present in the Local Computer's store and is correctly associated with the certificate. The private key must not have strong private key protection enabled.
  • The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (also known as OID).
  • The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places:
    • The Common Name (CN) in the Subject field.
    • DNS entry in the Subject Alternative Name extension.
  • The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
  • You must use the Schannel cryptographic service provider (CSP) to generate the key.

 

Now to get the pertinent certificate you will need to create a request, you will be able to find those instructions and further information within the following link:

 

-   http://support.microsoft.com/kb/321051/en-us

 

Let me know how it works out!

 

Please don't forget to rate and mark as correct the helpful Post!

 

David Castro.

 

Best regards.

0 Helpful
Customers Also Viewed These Support Documents