Re: Secure LDAP

Srinivasan Nagarajan · ‎12-08-2021

Hi Experts,

We've Cisco ASA with SFR modules being managed by FMC. Currently, we're using LDAP server as 'domain.com' which resolves to multiple AD servers and the port used is TCP/389.

We've been asked to change it to secure LDAP-TCP/636 and in this case, not sure which cert of the AD server to be uploaded into FMC as this resolves to multiple AD servers.

Can someone please assist? Thanks in advance.

Rob Ingram · ‎12-08-2021

Hi @Srinivasan Nagarajan you'll need to upload the root and intermediate root certificates to the FMC in order to trust the AD server's identity certificate.

Srinivasan Nagarajan · ‎12-08-2021

Thanks @Rob Ingram

We've configured 'domain.com' in the primary server config which is resolving to multiple AD servers. So, in this case, should we need to upload the wildcard cert of this Root AD server?

Also, as given here, it shows the Root cert of the AD server to be uploaded. Can you please suggest where to upload the intermediate and identity cert of the server?

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215538-configure-firepower-management-center-an.html#anc7

Rob Ingram · ‎12-08-2021

@Srinivasan Nagarajan see section 5 of that guide, step 2.

Step 2. Upload the certificate of the CA who signed the server's certificate. The certificate must be in PEM format.

So export the root certificate of the certificate that signed the server's certificate and import in step 2.

Srinivasan Nagarajan · ‎12-08-2021

Thanks a lot @Rob Ingram for taking your time in replying to this.

Should only the Root CA cert will suffice or we need to add the Intermediate and Identity certs? if yes, can you please suggest where to get this uploaded into FMC as step5 only says for Root certs?