An SSL connection to Active Directory is required in order to update a user’s password using LDAP. This article describes how to configure and test 389 Directory Server to synchronize with an Active Directory Server via an SSL LDAP connection.
Configuring SSL Connection
1. Make sure SSL is enabled in Active Directory. Learn how to enable LDAP SSL in Active Directory.
3. Make sure SSL is enabled in 389 Directory Server. Learn how to enable LDAP SSL in 389 Directory Server.
Testing SSL Connection
1. Type the command below to test if you can do a plain LDAP connection to your Active Directory server. You’ll be asked for the password of the user account you specified in the -D option.
/usr/lib/mozldap/ldapsearch -b "dc=acme,dc=local" -h server.acme.local -R -D "cn=fds,cn=users,dc=acme,dc=local" -w - "objectclass=*"
Replace the value after -b with your search base, the value after -h with your server hostname and the value after -D with the distinguished name of a user account having read/write access to your Active Directory server.
2. Type the command below to test if you can do an SSL enabled LDAP connection to your Active Directory server.
/usr/lib/mozldap/ldapsearch -b "dc=acme,dc=local" -h server.acme.local -R -D "cn=fds,cn=users,dc=acme,dc=local" -w - -Z -P /etc/dirsrv/slapd-mail "objectclass=*"
Replace the value after -P with the settings path of your 389 Directory server.
If the two test above succeeds, you can use SSL connection to synchronize with Active Directory.
Troubleshooting
If the output from the test above contains
- Invalid credentials
Check the distinguished name of the user account after the -D option and the bind password for it. To check the distinguished name, type the command below.
/usr/lib/mozldap/ldapsearch -b "dc=acme,dc=local" -h server -R -D "ACME\fds" -w - "samaccountname=fds" DN
Replace the value ACME with your own domain and fds with your own user name. It will output the distinguished name of the user name you specified.
- Invalid function argument
The host name you specified after -h is invalid or non-existent .
- TCP connection reset by peer
Check the host name you specified after -h is correct, the port is open, and SSL is configured properly.
- security library: bad database
Make sure SSL is enabled in 389 Directory Server. And check the path you specified after -P.
- Encountered end of file
After configuring SSL in Active Directory, you probably did not reboot your Active Directory server. Reboot your AD server to complete the changes and try the test again.
- Peer’s Certificate issuer is not recognized
Check if you have installed the certificate from Active Directory.
- Peer’s Certificate has expired
Make sure the system clock is synchronized in the Linux server and the Active Directory server. And the check the certificate, it may indeed be expired.
- Peer’s certificate issuer has been marked as not trusted by the user
Check the trust setting you specified in the certificate of the 389 Directory server. Making connections to other servers should be checked.