cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1613
Views
0
Helpful
3
Replies

Configure UCSM to use LDAP channel binding and LDAP signing

Ali.hassan1
Beginner
Beginner

We need to re-configure our UCSM to use LDAP channel binding and LDAP signing since Microsoft has recommended this change on all the domain controllers under the below links

 

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

 

Currently, the LDAP authentication happens without SSL and that is how its configured in UCSM. Does anyone know how to configure UCSM to use LDAP channel binding and LDAP signing when talking to the domain controllers for authentication?

 

I have come across the below article which cisco has put out about SSL and LDAP but it's not that helpful

 

https://www.cisco.com/c/en/us/support/docs/servers-unified-computing/ucs-infrastructure-ucs-manager-software/200092-UCSM-LDAP-Troubleshooting-guide.html

 

 

3 Replies 3

CGL
Beginner
Beginner

Hi, 

 

Did you happen to find more information on this - we are in the same boat with TMS and TCS. Network team is enabling LDAP Signing as per Microsoft advice and note sure if it is supported. 

 

Thanks, 

Hi,

I think I have managed to fix this for one of my UCS infrastructure. The way we monitor un-signed LDAP's over non-ssl coming to our DC's is through a SCOM template.

In that all the devices which are communication through this method are logged and that is how I was alerted by my identity team to look into it.

 

So, I would say follow the below  link and configure a certificate in UCS

 

https://www.derekseaman.com/2012/04/install-trusted-ssl-certificate-in.html

 

So for LDAP over SSL, you would need to:

 

  1. Install a cert from your root CA as a new keyring on the ucs.
  2. Make that the active certificate in communications settings.
  3. Then make sure that your LDAP services are set up for ssl

One point worth noting for me at least is that after the certificate is configured and valid in UCS, from the LDAP provider screen you can select SSL (Its a check box). Typically the port is 636 for that and not 389. But when i select 636, I haven't got it to work but if i use 386 with SSL checked it works and in SCOM the alert is not generated when I login using my domain id's.

So for now, I think I am going to leave it on that as long as its not alerted for unsigned LDAP's

 

Best of luck and yes this is a bit tricky and a hit and miss!

 

-A

 

Just do only first 3 steps from this doc https://www.cisco.com/c/en/us/support/docs/servers-unified-computing/ucs-infrastructure-ucs-manager-software/213523-creating-and-using-3rd-party-certificate.html

and enable SSL for your LDAP providers (under user management in UCS manager)

 

Don't create a KeyRing - you don't need it to enable LDAPs

 

To download Cert chain go to your AD cert server: https://<servername>/certsrv/

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers