LDAPS to AD (Jamf School)

CMS
New Contributor

Hi folks,

Is anyone out there using LDAPS to Active Directory for authentication?

I've setup a port forward and firewall opening, locked down to Jamf's IPs, but I cannot get LDAPS to work. I'm just testing locally at the moment on the Windows LAN, and the DC won't connect over port 636 with LDP.EXE. I'm sure the issue is the certificate, and despite trying to follow the guide that Jamf link to I'm not convinced the certificate is working.

Does anyone have an approach that has worked for the certificate?

Thanks

2 REPLIES 2

bro
New Contributor

Same problem here.
I even installed an LDAP Proxy to get rid of the self signed cert.
After some investigations I found an error (gnutls at my system) seems to not know some certificate:

gnutls[3]: ASSERT: buffers.c[get_last_packet]:1159
tls_read: want=5, got=5
  0000:  15 03 03 00 02                                     .....             
gnutls[10]: READ: Got 5 bytes from 0x7f47f4004560
gnutls[10]: READ: read 5 bytes from 0x7f47f4004560
gnutls[10]: RB: Have 0 bytes into buffer. Adding 5 bytes.
gnutls[10]: RB: Requested 5 bytes
gnutls[5]: REC[0x7f47f4002690]: SSL 3.3 Alert packet received. Epoch 0, length: 2
gnutls[5]: REC[0x7f47f4002690]: Expected Packet Handshake(22)
gnutls[5]: REC[0x7f47f4002690]: Received Packet Alert(21) with length: 2
tls_read: want=2, got=2
  0000:  02 2e                                              ..                
gnutls[10]: READ: Got 2 bytes from 0x7f47f4004560
gnutls[10]: READ: read 2 bytes from 0x7f47f4004560
gnutls[10]: RB: Have 5 bytes into buffer. Adding 2 bytes.
gnutls[10]: RB: Requested 7 bytes
gnutls[5]: REC[0x7f47f4002690]: Decrypted Packet[1] Alert(21) with length: 2
gnutls[5]: REC[0x7f47f4002690]: Alert[2|46] - Unknown certificate - was received
gnutls[3]: ASSERT: record.c[record_add_to_buffers]:787
gnutls[3]: ASSERT: record.c[record_add_to_buffers]:794
gnutls[3]: ASSERT: record.c[_gnutls_recv_in_buffers]:1328
gnutls[3]: ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1414
gnutls[3]: ASSERT: handshake.c[_gnutls_recv_handshake]:1459
gnutls[3]: ASSERT: handshake.c[handshake_server]:3308
TLS: can't accept: A TLS fatal alert has been received..
gnutls[5]: REC[0x7f47f4002690]: Start of epoch cleanup
gnutls[5]: REC[0x7f47f4002690]: End of epoch cleanup
gnutls[5]: REC[0x7f47f4002690]: Epoch #0 freed
gnutls[5]: REC[0x7f47f4002690]: Epoch #1 freed

When I try to connect I don't get this errors at all.

Artefact-Adam
New Contributor

If LDAPS is installed on your domain controller that is also a global catalogue. Try changing the port to 3269 and test rather than 636.