11-29-2019 06:55 AM
We need to re-configure our UCSM to use LDAP channel binding and LDAP signing since Microsoft has recommended this change on all the domain controllers under the below links
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023
Currently, the LDAP authentication happens without SSL and that is how its configured in UCSM. Does anyone know how to configure UCSM to use LDAP channel binding and LDAP signing when talking to the domain controllers for authentication?
I have come across the below article which cisco has put out about SSL and LDAP but it's not that helpful
12-04-2019 09:58 PM
Hi,
Did you happen to find more information on this - we are in the same boat with TMS and TCS. Network team is enabling LDAP Signing as per Microsoft advice and note sure if it is supported.
Thanks,
12-05-2019 04:39 AM
Hi,
I think I have managed to fix this for one of my UCS infrastructure. The way we monitor un-signed LDAP's over non-ssl coming to our DC's is through a SCOM template.
In that all the devices which are communication through this method are logged and that is how I was alerted by my identity team to look into it.
So, I would say follow the below link and configure a certificate in UCS
https://www.derekseaman.com/2012/04/install-trusted-ssl-certificate-in.html
So for LDAP over SSL, you would need to:
One point worth noting for me at least is that after the certificate is configured and valid in UCS, from the LDAP provider screen you can select SSL (Its a check box). Typically the port is 636 for that and not 389. But when i select 636, I haven't got it to work but if i use 386 with SSL checked it works and in SCOM the alert is not generated when I login using my domain id's.
So for now, I think I am going to leave it on that as long as its not alerted for unsigned LDAP's
Best of luck and yes this is a bit tricky and a hit and miss!
-A
10-09-2020 08:02 AM - edited 10-09-2020 08:03 AM
Just do only first 3 steps from this doc https://www.cisco.com/c/en/us/support/docs/servers-unified-computing/ucs-infrastructure-ucs-manager-software/213523-creating-and-using-3rd-party-certificate.html
and enable SSL for your LDAP providers (under user management in UCS manager)
Don't create a KeyRing - you don't need it to enable LDAPs
To download Cert chain go to your AD cert server: https://<servername>/certsrv/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide