Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2344
Views
0
Helpful
3
Replies

Configure UCSM to use LDAP channel binding and LDAP signing

Ali.hassan1
Level 1
Level 1

‎11-29-2019 06:55 AM

We need to re-configure our UCSM to use LDAP channel binding and LDAP signing since Microsoft has recommended this change on all the domain controllers under the below links

 

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

 

Currently, the LDAP authentication happens without SSL and that is how its configured in UCSM. Does anyone know how to configure UCSM to use LDAP channel binding and LDAP signing when talking to the domain controllers for authentication?

 

I have come across the below article which cisco has put out about SSL and LDAP but it's not that helpful

 

https://www.cisco.com/c/en/us/support/docs/servers-unified-computing/ucs-infrastructure-ucs-manager-software/200092-UCSM-LDAP-Troubleshooting-guide.html

 

 

2 people had this problem
Labels:
0 Helpful
3 Replies 3

CGL
Level 1
Level 1

‎12-04-2019 09:58 PM

Hi, 

 

Did you happen to find more information on this - we are in the same boat with TMS and TCS. Network team is enabling LDAP Signing as per Microsoft advice and note sure if it is supported. 

 

Thanks, 

0 Helpful

Ali.hassan1
Level 1
Level 1
In response to CGL

‎12-05-2019 04:39 AM

Hi,

I think I have managed to fix this for one of my UCS infrastructure. The way we monitor un-signed LDAP's over non-ssl coming to our DC's is through a SCOM template.

In that all the devices which are communication through this method are logged and that is how I was alerted by my identity team to look into it.

 

So, I would say follow the below  link and configure a certificate in UCS

 

https://www.derekseaman.com/2012/04/install-trusted-ssl-certificate-in.html

 

So for LDAP over SSL, you would need to:

 

  1. Install a cert from your root CA as a new keyring on the ucs.
  2. Make that the active certificate in communications settings.
  3. Then make sure that your LDAP services are set up for ssl

One point worth noting for me at least is that after the certificate is configured and valid in UCS, from the LDAP provider screen you can select SSL (Its a check box). Typically the port is 636 for that and not 389. But when i select 636, I haven't got it to work but if i use 386 with SSL checked it works and in SCOM the alert is not generated when I login using my domain id's.

So for now, I think I am going to leave it on that as long as its not alerted for unsigned LDAP's

 

Best of luck and yes this is a bit tricky and a hit and miss!

 

-A

 

0 Helpful

BogdanT
Level 1
Level 1
In response to Ali.hassan1

‎10-09-2020 08:02 AM - edited ‎10-09-2020 08:03 AM

Just do only first 3 steps from this doc https://www.cisco.com/c/en/us/support/docs/servers-unified-computing/ucs-infrastructure-ucs-manager-software/213523-creating-and-using-3rd-party-certificate.html

and enable SSL for your LDAP providers (under user management in UCS manager)

 

Don't create a KeyRing - you don't need it to enable LDAPs

 

To download Cert chain go to your AD cert server: https://<servername>/certsrv/

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking products for a $25 gift card