LDPAS to new domain controller
-
I've got LDAPS over SSL (636) working on an old domain controller. I've transferred FSMO to a new domain controller, and I'm trying to get LDAPS working on it so that I can retire the old DC. I've created a new CA in pfSense (2.4.4-Release) and a new certificate with cn that matches the hostname of the new DC. I've exported both the CA and client certs, and I've imported the CA into Trusted Root Certs and client cert into Personal certs using mmc.exe.
When I test authentication against the new DC (I created a new Auth server just for this, with the same settings as the old auth server but pointed to the new server) I can see the traffic come in, but pfSense sends the DC a message about an unknown CA.
If I use OpenSSL to test the connection to 636, I can see the correct certificates in use by DC02. What have I missed? Using StartTLS or SSL doesn't matter...same error.
One difference between old and new is that the old server (SBS 2011) had certificate authority role installed by default. However, there don't seem to be any issued certs that have anything to do with this. What am I missing?
-
When making any changes to LDAP certs in pfSense, you should go to the console or connect with ssh and run option
16and then11. That will ensure that the PHP environment for LDAP is consistent and complete. Do that, and then test again. -
@jimp I can't believe that's all it was. Probably should have asked for help about 6 hours ago. While we're here, it only seems to work with SSL (686) and not StartTLS. Is that expected?
-
STARTTLS should work provided you have the right settings (it would be on port 389 with the transport set to STARTTLS). I've seen it work both ways.
The PHP LDAP client is quirky, though, hence the need for that 16/11 dance. There are bugs in PHP which prevent the better-suited methods of setting up LDAP from working, too.
-
Yep, making the change to StartTLS just required the 16/11 trick and it's up and running. Thanks for the hand!
