I hate troubleshooting SSL but here it
goes...
First, have you installed the Cert Chain on the machine you
are querying AD from?
Second, is the DNS name of the DC you querying exactly what
is in the DCs cert?
I don't think you need anything open other than 636. The
way the MSFT LDAP API works if you specify 636 it will attempt an
SSL connection even if not explicity specified, however, try adding
the -ssl switch to adfind.
The main thing you want to do is get a trace and see where
it is failing at. The sequence will be something like
Client-> Server TCP LDAPS
SYN
Server-> Client TCP LDAPS
SYN, ACK
Client-> Server TCP LDAPS
ACK
Client-> Server SSLV2 LDAPS Client
Hello
Server->Client TCP LDAPS
one or more packets in response
Client-> Server TCP LDAPS
ACK
Server->Client TCP LDAPS
one or more packets
Server->Client
TLS LDAPS Server Hello, Certificate, Certificate
Request, Server Hello Done
Client-> Server TCP LDAPS
ACK Client-> Server TLS LDAPS
Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake
Message
Server->Client
TLS LDAPS Change Cypher Spec, Encrypted Handshake
Message
...then
you will see TLS Application Data packets...
Now if you don't have the the DNS hostname right or
don't have the Cert chain on the local machine you will see (or least I always
recall seeing) something like
Client-> Server TCP LDAPS
SYN
Server-> Client TCP LDAPS
SYN, ACK
Client-> Server TCP LDAPS
ACK
Client-> Server SSLV2 LDAPS Client
Hello
Server->Client TCP LDAPS
one or more packets in response
Client-> Server TCP LDAPS
ACK
Server->Client TCP LDAPS
one or more packets
Server->Client TLS LDAPS
Server Hello, Certificate, Certificate Request, Server Hello
Done
Client-> Server TCP LDAPS
ACK
Client-> Server TCP LDAPS
RST,ACK
I could easily be wrong
as I am not a SSL kind of guy but I am not positive if the CRL is required for
this communication. I know I have seen this work without a current or in fact
any CRL from the authority on the client side.
joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 7:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up
secure LDAP queries from the outside to AD for pulling email addresses but are
running into an issue. Port 636 has been opened up to our DCs but we get a
0x51 error like the one shown below in this example of using
“adfind”: adfind -h dc1.abc.com:636 -u
[EMAIL PROTECTED] -up * -default -nodn -f sn=thommes
extensionAttribute2 AdFind V01.26.00cpp Joe Richards
([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error
0x51 (81) - Server Down Terminating
program. (extensionAttribute2 is used for
email address) Portqry shows that the DC is
listening on port 636. Using “ldp”, the bind operation seems to want to
default to port 389 (which is not open). It works fine behind our
firewall. Is there some other port that needs to be open (besides
389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs)
that is getting in the way? Any help is
appreciated! TIA, Mike
Thommes |
- RE: [ActiveDir] Secure LDAP queries from the outsid... joe
- RE: [ActiveDir] Secure LDAP queries from the o... Bernier, Brandon \(.\)
- Re: [ActiveDir] Secure LDAP queries from t... steve patrick
- [ActiveDir] Exchange question Ramon Linan
- RE: [ActiveDir] Exchange question Akomolafe, Deji
- RE: [ActiveDir] Exchange ques... Ramon Linan
- Re: [ActiveDir] Exchange ... Al Mulnick
- RE: [ActiveDir] Excha... Ramon Linan
- RE: [ActiveDir] Excha... Brandon Pierce
- RE: [ActiveDir] Excha... Ramon Linan
- Re: [ActiveDir] Excha... Al Mulnick