LDAPS basically is adding a SSL Layer to the previous LDAP connections that are available on port tcp/389 for Windows Servers, the LDAPS protocol instead uses port tcp/636 and requires a Certificate Authority (CA).
To make use of this tutorial you will need a working WS2019 server, and with DNS + AD working on it, you can check this tutorial to get it done.
Now with this we can test the ldap default port (389) on our WS2019 server (10.0.0.204)
[ 10.0.0.10/16 ] [ /dev/pts/45 ] [~]
→ ping 10.0.0.204
PING 10.0.0.204 (10.0.0.204) 56(84) bytes of data.
64 bytes from 10.0.0.204: icmp_seq=1 ttl=128 time=1.01 ms
64 bytes from 10.0.0.204: icmp_seq=2 ttl=128 time=1.59 ms
64 bytes from 10.0.0.204: icmp_seq=3 ttl=128 time=1.48 ms
64 bytes from 10.0.0.204: icmp_seq=4 ttl=128 time=0.924 ms
^C
--- 10.0.0.204 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 0.924/1.249/1.592/0.289 ms
[ 10.0.0.10/16 ] [ /dev/pts/45 ] [~]
→ nmap -p389 10.0.0.204
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-28 12:34 CEST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.07 seconds
[ 10.0.0.10/16 ] [ /dev/pts/45 ] [~]
→ nmap -p389 10.0.0.204 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-28 12:34 CEST
Nmap scan report for 10.0.0.204
Host is up (0.00100s latency).
PORT STATE SERVICE
389/tcp open ldap
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
Now we know that the ldap port is open on our windows server host, you can try to log into it using the openldap package's ldapsearch utility and retrieve some infos. If you setup your own AD you know at least the ip of the server (10.0.0.204), the domain name (nowhere.local) and one user's credentials (nowhere:password):
[ 10.0.0.10/16 ] [ /dev/pts/45 ] [~]
→ ldapsearch -H ldap://10.0.0.204:389 -b dc=nowhere,dc=local -D nothing@nowhere.local -W
From here we go install the Active Directory Certificate Services on our WS2019 host:
So that's our result:
Then let it configure, and then we will able to use ldaps on port 636.
We can verify the ldaps port is opened with the following nmap command:
[ 10.0.0.10/16 ] [ /dev/pts/46 ] [~]
→ nmap -p389,636 10.0.0.204 -Pn -sCV
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-28 15:25 CEST
Nmap scan report for 10.0.0.204
Host is up (0.00090s latency).
PORT STATE SERVICE VERSION
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: nowhere.local0., Site: Default-First-Site-Name)
636/tcp open tcpwrapped
Service Info: Host: WIN-LJT7MG0NF5R; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.74 seconds
the ldaps port is opened, however we still need to reboot our WS2019 VM:
However most importantly we need to check if other hosts on the local network can see the new certificate correctly, so before we check that, let's check if we can check our own certificate from the windows server host:
So we are able to see our own LDAPS SSL certificate:
So now we need to stee if pfsense can see the ldaps SSL certificate:
To do so we can use the 'ldapsearch' tool available in the openldap package :
[ 10.0.0.10/16 ] [ /dev/pts/45 ] [~]
→ sudo pacman -S openldap
[sudo] password for nothing:
resolving dependencies...
looking for conflicting packages...
Package (1) New Version Net Change Download Size
core/openldap 2.4.57-1 4.15 MiB 1.42 MiB
Total Download Size: 1.42 MiB
Total Installed Size: 4.15 MiB
:: Proceed with installation? [Y/n] y
[ 10.0.0.10/16 ] [ /dev/pts/45 ] [~]
→ which ldapsearch
/usr/bin/ldapsearch
[ 10.0.0.10/16 ] [ /dev/pts/45 ] [~]
→ openssl s_client -showcerts -connect 10.0.0.204:636
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = WIN-LJT7MG0NF5R.nowhere.local
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = WIN-LJT7MG0NF5R.nowhere.local
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = WIN-LJT7MG0NF5R.nowhere.local
verify return:1
---
Certificate chain
0 s:CN = WIN-LJT7MG0NF5R.nowhere.local
i:DC = local, DC = nowhere, CN = nowhere-CA
-----BEGIN CERTIFICATE-----
MIIG+zCCBOOgAwIBAgITVQAAAAKR6/iCOHueEQAAAAAAAjANBgkqhkiG9w0BAQ0F
ADBFMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFzAVBgoJkiaJk/IsZAEZFgdub3do
ZXJlMRMwEQYDVQQDEwpub3doZXJlLUNBMB4XDTIxMDMyODEzMzMxM1oXDTIyMDMy
ODEzMzMxM1owKDEmMCQGA1UEAxMdV0lOLUxKVDdNRzBORjVSLm5vd2hlcmUubG9j
YWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCRQ0d8ZYEYy8es0Dix
6UDS8fwRRmhZ+TsBRIy8bwrwWYukcRxxo/Vijk1olvi3qS3nK6mZmT25g9zTHbPF
WalPVWtiZqQUL1dg9FBuzWHTD4+7uXa8KTy6I8ICa9GgfFleP1LzncKPJ/UYtEpT
MioQfOXz5XmAZqgVIFx3onkdVM9XHYt6T9mnOJMw/JiE9o54z64PCGg/IxcA7ZYV
lpMdIWhuO92sjhzJ8BEcyLvVrJjpPwlbQ0w46k35KY/j3oOrP01UEw6x+4teuiwn
bPo72GJQjP9qvKDj9H6sh4bSaue8wA39OlqT5eCYL57kxmIOJ0hSRWC9jIFJlyPK
GGLVAgMBAAGjggL/MIIC+zAvBgkrBgEEAYI3FAIEIh4gAEQAbwBtAGEAaQBuAEMA
bwBuAHQAcgBvAGwAbABlAHIwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
MA4GA1UdDwEB/wQEAwIFoDB4BgkqhkiG9w0BCQ8EazBpMA4GCCqGSIb3DQMCAgIA
gDAOBggqhkiG9w0DBAICAIAwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglg
hkgBZQMEAQIwCwYJYIZIAWUDBAEFMAcGBSsOAwIHMAoGCCqGSIb3DQMHMB0GA1Ud
DgQWBBSr+hTuXL/n4V7mTbXcKgPUQmvA8zAfBgNVHSMEGDAWgBQ1GNjpvSPea8eP
2DJGHHpmXOz7PTCB0gYDVR0fBIHKMIHHMIHEoIHBoIG+hoG7bGRhcDovLy9DTj1u
b3doZXJlLUNBLENOPVdJTi1MSlQ3TUcwTkY1UixDTj1DRFAsQ049UHVibGljJTIw
S2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1u
b3doZXJlLERDPWxvY2FsP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9v
YmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvgYIKwYBBQUHAQEEgbEw
ga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9DTj1ub3doZXJlLUNBLENOPUFJQSxD
Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1
cmF0aW9uLERDPW5vd2hlcmUsREM9bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29i
amVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwSQYDVR0RBEIwQKAfBgkr
BgEEAYI3GQGgEgQQxn6cUfiuyUaEppT8x7iyk4IdV0lOLUxKVDdNRzBORjVSLm5v
d2hlcmUubG9jYWwwDQYJKoZIhvcNAQENBQADggIBAKMGBpS4aAAAaTdn7CJnRnaD
jpWDnhO0PBisnOi1xQ/BZv6rqoglLlRSxXEQUSJKbpDPO46/vmQC0TA95fen9SW2
tWRfWgq6QjnhBiHR9CrJtnZEx+NrDEx93SLWFX4uC5MdEtuVZdE6yaWmMBaz4X+6
300BvF9hkTY5EWnb/jLtFqm3JhuXX9C5n6Z/3uVfq6RZCkw546Fh26f60Sz3J/c+
2f3YggzflgAsP5KiApfhzLdpTHG53o7nuO4KJHKC1NL03Swd2DV/sFwyLvK8jxlZ
r1BhU/8kWXwdof5qHGiSbLBaTVqF0sIoowNKsA2zY9NI3kaPGTHGfl3K7yuF/u5D
7vpR0x1eBrV5sYOcM0pVwQU5BkghwQ3CF+Opz+WLGCSnyfpxiAVWfKHfb3h4X6X+
2ZCXuBdoGvHIYOxlrYt1B+HN2PPgoWo9GHtjG/5cLvO6GrDk3LID+/CfRcXZ7ec/
yl0BDrTAhjJgvRtGOkalEa8tASdDpvqNPaC2oNdiIpL51y0UPlpJzaHpmBLhw134
gbqDMCUQcmGezs5jKv0COSj49VEGGqwn+jkuNfUd77Z2uj+o9+nyanbVebegt0ha
HI9ABZer/1lGSE8IQu/bu36eRyXvy1SkKEtnvep7gi2Jea0ehWMqHnaB+8nTIEAn
7+Ple+iGS+2VPDYt/Nkg
-----END CERTIFICATE-----
---
Server certificate
subject=CN = WIN-LJT7MG0NF5R.nowhere.local
issuer=DC = local, DC = nowhere, CN = nowhere-CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 2341 bytes and written 463 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 6C380000DE31D09F82EC8C531A3EC2F49F690C7DD3729D1678B2399207149AC4
Session-ID-ctx:
Master-Key: 9581A15DB6A1D6FC3EF0D114B9FF19AE73E3676493EB75738BD1A81A310F6C391D0FB1354A61668ED33E9D9590F3BE65
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1616939581
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes
---
And that's it! We have been able to setup the LDAPS protocol on Windows Server 2019
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@contact.nowhere.moe (PGP)