Setting up SSL for Solaris 11 LDAP client (changing AD password from Solaris)

I have been using LDAP for years for our authentication and using LDAP Active Directory for about 3 years, but this was always using ldap so I thought I would start looking at SSL.

This blog entry will look at the initial setup and how you can talk to the AD server over SSL. The information here is nothing new and is all covered in the references but hope this shorter version helps.

References:

• Changing Active Directory passwords via LDAP using PHP
• http://www.cs.bham.ac.uk/~smp/resources/ad-passwds
• Enabling SSL in the Active Directory Connector
• http://docs.oracle.com/cd/E20295_01/html/821-0422/aarjc.html
•  Steps to setup SSL for Solaris LDAP client (certutil and openssl)
•  https://blogs.oracle.com/baban/entry/steps_to_setup_ssl_using 
•  Authenticating UNIX/Linux to Windows 2008R2. Part 2 : Solaris 10
•  http://osdude.wordpress.com/2011/08/11/authenticating-unixlinux-to-windows-2008r2-part-2-solaris-10/

Key:

• Windows 2008 R2 Server = testdc01
• AD Domain = testforest.dcs.bbk.ac.uk
• Admin User = cn=admin,ou=users,dc=testforest,dc=dcs,dc=bbk,dc=ac,dc=uk
• Normal User = cn=auser,ou=users,dc=testforest,dc=dcs,dc=bbk,dc=ac,dc=uk

Import the Windows/AD CA Certificate

Retrieve an Active Directory Certificate using LDAP

# ldapsearch -h testdc01.testforest.dcs.bbk.ac.uk -D "cn=admin,ou=users,dc=testforest,dc=dcs,dc=bbk,dc=ac,dc=uk" -wAdminPassword  -b "cn=configuration,dc=testforest,dc=dcs,dc=bbk,dc=ac,dc=uk" "cacertificate=*"

Several entries will match the search filter. You will need the entry cn=Certification Authorities, cn=Public Key Services in its DN.
Save the contents, so that none of the lines start with white space.
Add-----BEGIN CERTIFICATE----- before the first line and -----END CERTIFICATE----- after the last line. See the following example:

-----BEGIN CERTIFICATE-----
MIIDvjCCA2igAwIBAgIQDgoyk+Tu14NGoQnxhmNHLjANBgk
qhkiG9w0BAQUFADCBjjEeMBwGCSqGSIb3DQEJARYPYmVydG
.......
BgkqhkiG9w0BAQUFAANBAL5R9R+ONDdVHWu/5Sd9Tn9dpxN
8oegjS88ztv1HD6XSTDzGTuaaVebSZV3I+ghSInsgQbH0gW
4fGRwaI BvePI4=
-----END CERTIFICATE-----

Save the certificate into a file (such as /var/ldap/ad-cert.txt).


Verify that the certificate file is ok with OpenSSL

# openssl x509 -in /var/ldap/ad-cert.txt -subject -issuer -purpose
subject= /DC=uk/DC=ac/DC=bbk/DC=dcs/DC=testforest/CN=DCS-CA
issuer= /DC=uk/DC=ac/DC=bbk/DC=dcs/DC=testforest/CN=DCS-CA
Certificate purposes:
SSL client : Yes
SSL client CA : Yes
SSL server : Yes
SSL server CA : Yes
Netscape SSL server : No
Netscape SSL server CA : Yes
S/MIME signing : Yes
S/MIME signing CA : Yes
S/MIME encryption : No
S/MIME encryption CA : Yes
CRL signing : Yes
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes
Time Stamp signing : No
Time Stamp signing CA : Yes
-----BEGIN CERTIFICATE-----
MIIDzDCCArSgAwIBAgIQIOB/Q8ir3ZxCiGwKK+XZ6TANBgkqhkiG9w0BAQUFADBu
.........
v/x5sSK2HE5hTrxWLfkKgw==
-----END CERTIFICATE-----

Import the Root CA Certificate

# certutil -A -n /var/ldap/ad-cert  -t "CT,C,C" -d /var/ldap -i /var/ldap/ad-cert.txt
 
# ls /var/ldap
cachemgr.log      cert8.db          key3.db           ldap_client_cred  ldap_client_file  restore           secmod.db         ad-cert.txt
# certutil -L -d /var/ldap
Certificate Nickname                               Trust Attributes
SSL,S/MIME,JAR/XPI
/var/ldap/ad-cert                                  CT,C,C

# chmod a+r /var/ldap/*.db
# openssl s_client -connect testdc01.testforest.dcs.bbk.ac.uk:636 -CAfile /var/ldap/ad-cert.txt  < /dev/null
CONNECTED(00000004)
depth=1 DC = uk, DC = ac, DC = bbk, DC = dcs, DC=testforest,CN = DCS-CA
verify return:1
depth=0 CN = TESTDC01.testforest.dcs.bbk.ac.uk
verify return:1
---
Certificate chain
 0 s:/CN=TESTDC01.testforest.dcs.bbk.ac.uk
   i:/DC=uk/DC=ac/DC=bbk/DC=dcs/DC=testforest/CN=DCS-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF7DCCBNSgAwIBAgIKIKk/ugAAAAAAIzANBgkqhkiG9w0BAQUFADBuMRIwEAYK
...........v+FaKQLgQK0RPoXnzAt
48c4TiBzQTQjGG/rOdLf3oXM+9JUSKVZCtcIukKAHyU=
-----END CERTIFICATE-----
subject=/CN=TESTDC01.testforest.dcs.bbk.ac.uk
issuer=/DC=uk/DC=ac/DC=bbk/DC=dcs/DC=testforest/CN=DCS-CA
---
Acceptable client certificate CA names
/CN=TESTDC01.testforest.dcs.bbk.ac.uk
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
/DC=uk/DC=ac/DC=bbk/DC=dcs/DC=testforest/CN=DCS-CA
/CN=NT AUTHORITY
---
SSL handshake has read 2286 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 95.........547
    Session-ID-ctx:
    Master-Key: CB......8E38B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1400255785
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE
#

Now let see if it all works.

# ldapsearch  -h testdc01.testforest.dcs.bbk.ac.uk -p 636 -Z -P /var/ldap -b "dc=testforest,dc=dcs,dc=bbk,dc=ac,dc=uk" -D "CN=auser,OU=users,dc=testforest,DC=dcs,DC=bbk,DC=ac,DC=uk" -w AUserPassword "samaccountname=auser" uidNumber
version: 1
dn: CN=auser,OU=users,DC=testforest,DC=dcs,DC=bbk,DC=ac,DC=uk
uidNumber: 24837

Change a Users Password

Now using Changing Active Directory passwords via LDAP using PHP you can change a user password from Solaris.

# cat testdelete.ldif
dn: CN=auser,OU=users,DC=testforest,DC=dcs,DC=bbk,DC=ac,DC=uk
changetype: modify
replace: unicodePwd
unicodePwd:: IgBCADEFeAByAGMaMwB2dDQXYgA1AdiA
#
# /usr/bin/ldapmodify -r -h testdc01.testforest.dcs.bbk.ac.uk -Z -P /var/ldap -D "cn=admin,ou=users,dc=testforest,dc=dcs,dc=bbk,dc=ac,dc=uk" -wAdminPassword -f testdelete.ldif

modifying entry CN=auser,OU=users,DC=testforest,DC=dcs,DC=bbk,DC=ac,DC=uk