Setting Up Your Application to Bind with Active Directory Using LDAPS

Setting Up Your Application to Bind with Active Directory Using LDAPS

Overview:
This article provides a quick reference guide followed by detailed step-by-step instructions on how to configure your application to securely bind to the kiewit.dartmouth.edu Active Directory (AD) using LDAPS (LDAP over SSL/TTLS). To ensure a stable and secure configuration, you will install the root CA certificate, which eliminates the need for frequent certificate updates.

Quick Reference Guide for Experienced Users

  1. Ensure your application server can communicate with kiewit.dartmouth.edu on port 636.
  2. Download and install the DigiCert root certificate from this link into your trusted root certificate store.
  3. Configure your application to use LDAPS:
    • Server: kiewit.dartmouth.edu
    • Port: 636
    • Connection Type: SSL/TLS
    • Base DN (if required): dc=kiewit,dc=dartmouth,dc=edu
    • Authentication (if required): Use your application’s service account credentials.
  4. Test the connection to ensure successful binding.

If you need more detailed instructions, please continue reading below.

Detailed Step-by-Step Instructions

Prerequisites:

  • Ensure that your application server can communicate with the kiewit.dartmouth.edu domain controllers on port 636 (the default port for LDAPS).
  • Your application must support LDAPS. Check the application’s documentation for details on how to enable or configure LDAPS.
  • Obtain the root CA certificate that issued the SSL/TLS certificate for the domain controllers. You can download the approved DigiCert root certificate from this link. Most applications may already trust this root certificate.

Step 1: Obtain and Install the Root CA Certificate

To securely connect to AD using LDAPS, it is essential to install the root CA certificate that issued the domain controller's SSL/TTLS certificates. This ensures that your application can trust the SSL/TLS certificates used by the domain controllers.

  1. Obtain the Root CA Certificate:
    • Download the approved DigiCert root certificate from this link.
    • The root CA certificate is usually provided as a .cer or .crt file.
  2. Install the Root CA Certificate:
    • On the server hosting your application, install the root CA certificate into the trusted root certificate store.
    • Windows:
      • Open Microsoft Management Console (MMC).
      • Add the Certificates snap-in for the Local Computer.
      • Right-click on Trusted Root Certification Authorities > Certificates.
      • Select Import and follow the prompts to import the root CA certificate.
    • Linux:
      • Copy the root CA certificate to the /etc/ssl/certs directory.
      • Update the certificate store by running:
        • sudo update-ca-certificates
    • Other Platforms:
      • Refer to your operating system’s documentation for instructions on how to import the root CA certificate into the trusted certificate store.

Step 2: Configure Your Application to Use LDAPS

With the root CA certificate installed, you can now configure your application to use LDAPS:

  1. Locate LDAP Settings:
    • In your application’s configuration, find the LDAP settings or connection settings section.
  2. Set the LDAP Server to Use LDAPS:
    • Change the LDAP server address to kiewit.dartmouth.edu.
    • Change the port to 636 to ensure the connection uses LDAPS.
    • Ensure that the connection type is set to SSL/TLS or LDAPS, depending on the application’s options.
  3. Specify a Base DN (if required):
    • The Base Distinguished Name (DN) is the starting point in the directory from which the application will search for user objects.
    • Example Base DN: dc=kiewit,dc=dartmouth,dc=edu.
  4. Set Up Authentication (if required):
    • If your application requires authentication to bind to AD, provide the necessary credentials:
    • Bind DN: The distinguished name of the account used for binding (e.g., cn=appbinduser,ou=serviceaccounts,dc=kiewit,dc=dartmouth,dc=edu).
    • Password: The password for the bind account.
  5. Save the Configuration:
    • Apply and save the changes to the application’s LDAP configuration.

Step 3: Test the LDAPS Connection

After configuring your application, it’s important to test the connection to ensure that it is successfully binding to AD using LDAPS:

  1. Run a Test Connection:
    • Use the application’s built-in testing tools or features to verify the LDAPS connection.
    • Ensure that the connection test is successful and that no errors are reported.
  2. Monitor the Connection:
    • Check the application’s logs and the AD domain controller’s logs for any warnings or errors related to LDAP connections.

Troubleshooting

If you encounter issues during setup or testing, consider the following:

  • Certificate Trust Issues:
    • Ensure that the root CA certificate is correctly installed in the trusted root certificate store of the application server.
  • Port Connectivity:
    • Verify that port 636 is open and accessible from your application server.
  • LDAPS Compatibility:
    • Confirm that your application fully supports LDAPS and is configured correctly for SSL/TLS connections.
  • Error Messages:
    • Review any error messages in the application logs and cross-reference them with known issues in the application’s documentation.

Support

If you need further assistance with setting up LDAPS or encounter any issues that you cannot resolve, please contact the Infrastructure Services team at Dartmouth College for help.

Print Article