I have a working rule set for LDAP authentication against our AD servers (don't hint to Kerberos for the moment, please :-)
I would like to make that an LDAPS connection, but the certificates are self-signed. With wireshark I see that MWG terminates the negotiation with "Unknown CA".
Where in MWG do I need to store our private CA for LDAP usage?
*Hint* check out the kerberos guide: https://community.mcafee.com/docs/DOC-2682#Hints_on_using_LDAPS
It has tips on importing the certificates so the "unknown CA" goes away specifically for LDAPS. You must make sure the CN on the cert matches the LDAP url you put in the GUI.
Ok, I checked out the Kerberos guide to get LDAPS working. :-)
And eventually I found the "List of certificate authories" under "LDAP Specific Parameters".
Interestingly the openssl command does not retrieve two certificates as in your example but only one. It is the certificate of the Domain Controller I am connecting to with LDAPS.
I then had the AD guys send me over their Domain root certificate and imported this under "List of certificate authorities". On a sidenote: this certficate must be exported base64 encoded, not in binary format for MWG to import it. Open the certificate you got with an editor. If it starts with BEGIN CERTIFICATE it's ok.
Still "Unknown CA" in Wireshark and "LDAP: Failed to connect to server $MYLDAP_SERVER Last error -1" in mwg-core__Auth.debug.log
Out of desperation I also added the certificate from the openssl command, but to avail.
Any more hints, please?
Create a case with a feedback and that capture (dont post it here) and we should be able to solve it quickly. We can also file a FMR for MWG to just retrieve it from the server in the UI rather than going through all this hassle of getting the certs manually.