3 Replies Latest reply on Dec 6, 2013 6:56 PM by Jon Scholten

    LDAP authentication: where to store private certificate?

    bornheim

      Hi,

       

      I have a working rule set for LDAP authentication against our AD servers (don't hint to Kerberos for the moment, please :-)

      I would like to make that an LDAPS connection, but the certificates are self-signed. With wireshark I see that MWG terminates the negotiation with "Unknown CA".

       

      Where in MWG do I need to store our private CA for LDAP usage?

       

      Regards,

      Robert

        • 1. Re: LDAP authentication: where to store private certificate?
          Jon Scholten

          *Hint* check out the kerberos guide: https://community.mcafee.com/docs/DOC-2682#Hints_on_using_LDAPS

           

          It has tips on importing the certificates so the "unknown CA" goes away specifically for LDAPS. You must make sure the CN on the cert matches the LDAP url you put in the GUI.

           

          Best,

          Jon

          • 2. Re: LDAP authentication: where to store private certificate?
            bornheim

            Hi,

             

            Ok, I checked out the Kerberos guide to get LDAPS working. :-)

             

            And eventually I found the "List of certificate authories" under "LDAP Specific Parameters".

             

            Interestingly the openssl command does not retrieve two certificates as in your example but only one. It is the certificate of the Domain Controller I am connecting to with LDAPS.

             

            I then had the AD guys send me over their Domain root certificate and imported this under "List of certificate authorities". On a sidenote: this certficate must be exported base64 encoded, not in binary format for MWG to import it. Open the certificate you got with an editor. If it starts with BEGIN CERTIFICATE it's ok.

             

            Still "Unknown CA" in Wireshark and "LDAP: Failed to connect to server $MYLDAP_SERVER Last error -1" in mwg-core__Auth.debug.log

             

            Out of desperation I also added the certificate from the openssl command, but to avail.

             

            Any more hints, please?

             

            Regards,

            Robert

            • 3. Re: LDAP authentication: where to store private certificate?
              Jon Scholten

              Hi Robert,

               

              Create a case with a feedback and that capture (dont post it here) and we should be able to solve it quickly. We can also file a FMR for MWG to just retrieve it from the server in the UI rather than going through all this hassle of getting the certs manually.

               

              Best,

              Jon