cancel
Showing results for 
Search instead for 
Did you mean: 
bornheim
Level 7

LDAP authentication: where to store private certificate?

Hi,

I have a working rule set for LDAP authentication against our AD servers (don't hint to Kerberos for the moment, please :-)

I would like to make that an LDAPS connection, but the certificates are self-signed. With wireshark I see that MWG terminates the negotiation with "Unknown CA".

Where in MWG do I need to store our private CA for LDAP usage?

Regards,

Robert

0 Kudos
3 Replies
McAfee Employee

Re: LDAP authentication: where to store private certificate?

*Hint* check out the kerberos guide: https://community.mcafee.com/docs/DOC-2682#Hints_on_using_LDAPS

It has tips on importing the certificates so the "unknown CA" goes away specifically for LDAPS. You must make sure the CN on the cert matches the LDAP url you put in the GUI.

Best,

Jon

0 Kudos
bornheim
Level 7

Re: LDAP authentication: where to store private certificate?

Hi,

Ok, I checked out the Kerberos guide to get LDAPS working. :-)

And eventually I found the "List of certificate authories" under "LDAP Specific Parameters".

Interestingly the openssl command does not retrieve two certificates as in your example but only one. It is the certificate of the Domain Controller I am connecting to with LDAPS.

I then had the AD guys send me over their Domain root certificate and imported this under "List of certificate authorities". On a sidenote: this certficate must be exported base64 encoded, not in binary format for MWG to import it. Open the certificate you got with an editor. If it starts with BEGIN CERTIFICATE it's ok.

Still "Unknown CA" in Wireshark and "LDAP: Failed to connect to server $MYLDAP_SERVER Last error -1" in mwg-core__Auth.debug.log

Out of desperation I also added the certificate from the openssl command, but to avail.

Any more hints, please?

Regards,

Robert

0 Kudos
McAfee Employee

Re: LDAP authentication: where to store private certificate?

Hi Robert,

Create a case with a feedback and that capture (dont post it here) and we should be able to solve it quickly. We can also file a FMR for MWG to just retrieve it from the server in the UI rather than going through all this hassle of getting the certs manually.

Best,

Jon

0 Kudos