Start a Conversation

Unsolved

P

1 Message

138

January 30th, 2024 10:07

Problem with certificate trust when configure LDAPS (Active Directory)

We are currently setting up a new and fresh instance with OpenManage 4. 

When we try to integrate user management with Active Directory we do get a problem witch we can´t debug.

We are forced to use LDAPS (requierment from our IT Security department).

But when we set the port to 636(LDAPS), upload the root-certificate from our PKI (the domaincontrollers has signed certificates from this PKI) we only get "CSEC1527 - Could not connect to the server because the uploaded certificate is invalid."

I can´t find why OME thinks the certificate not is valid. We have tried with only the root-certificate and also root+intermediate. The format is in base64 as described in OME documentation. 

I have also tested the certificate on our domain controller against the root and intermediate certificate (with openssl) and it veryfies OK.

Any clue what we are doing wrong? Any sugestions how to debug this deeper? The logs in OME does not give us any TLS/SSL details.

Thanks in advance! 

Moderator

 • 

2.5K Posts

January 30th, 2024 14:45

Hi, I believe you're getting below warning.

CSEC1527
Message Could not connect to the server because the uploaded certificate is invalid.
Detailed Description Please upload a valid certificate and perform the operation.
Recommended
Response Action
Upload a valid certificate and perform the operation.
Category Configuration (CSEC = Security)
Severity Severity 1 (Critical)
Redfish Event Type
No alerts are applicable for this message

 

I researched and reviewed SSL-related situations. If only has LDAP enabled, then the connection will fail. If you want to check the domain's LDAPS configuration, you can download and use the LDP.exe tool from Microsoft. It is included in the RSAT package, which you can find at this link. Remote Server Administration Tools - Windows Server | Microsoft Learn Ldp | Microsoft Learn 

Then please take a look OME AD integration as below:

Active Directory requirements: 

  • Ports 636/3269 open from Appliance to DC 

  • Root CA Certificate on any DC being used for LDAPS 

Note: Certificate upload is not required for AD authentication to work.


Active Directory Configuration: 
In the OpenManage Enterprise Web UI

Browse Application Settings > Users > Directory Services and select Add 

  • Select domain controller type (AD or LDAP).
  • Enter the required information for Directory Name.
  • Domain controller Lookup can be DNS or Manual.
  • For Method, add in Domain Name or list of domain controller. 
  • Add in the Group Domain. 
  • For Server port use 636 or 3269 
  • Save the Settings.

To test, select the newly added entry, and click Edit. 

  • Once this passes, navigate back to User and select Import Directory Group. 

  • Select the AD Domain set up in previous steps. 

  • Give it the credentials that passed the Test. 

  • Here it recursively searches Groups. Add in the Groups that you intend to use and give them permissions. 

  • Log out and log back in with AD. 

Active Directory Troubleshooting Scenarios: 

Active Directory Test Fails: 

  • Enable debug logging and export for review.

  • Most failures are firewall or LDAPS Bind issue. 

  • Select Manual for domain controller Lookup and add a Single domain controller if there are multiple domain controllers in the environment. 

  • Try both Ports 636 and 3269. 

  • Verify that domain controller has a root CA Certificate within the Certificates MMC. 

  • Leverage LDP.exe in the Windows DC to test an LDAPS Bind 

Import Directory Groups does not find any groups: 

  • Enable debug logging and export for review.

  • It can be inferred that LDAPS Bind works if the test can run, which may narrow down to permissions on the Groups OU. 

  • Use the Delegate Option in AD Users and Computers or use a Domain Admin to add groups. 

Cannot Log in after setup: 

  • Enable debug logging and export for review.

  • Configure it to use a single domain controller and verify test works. 

Note: This is to rule out DNS or random nonworking DC. 

  • Ensure that user is a member of the groups added. 

  • Get a packet capture to see which part is failing. 

No Events found!

Top