After you have prepared the domain controller with the policy for certificate auto‑enrollment, you can use the following steps to provide the required certificate, private key, and certification authority.
- Verify the computer where you are running the Centrify LDAP proxy service is joined to an Active Directory domain.
Change to the directory where certificates for auto-enrollment are located.
You should see files similar to the following listed in the directory:
Run an openssl command similar to the following to create the certificate:
openssl pkcs7 -in auto_LDAPProxy.chain -text -out auto_LDAPProxy_CA.pem ‑print_certs
Add the following lines to /etc/centrifydc/openldap/slapd.conf configuration file. Comment out the old TLSCipherSuite line, as shown here.
# TLSCipherSuite SSLv3
You should also review and modify other server configuration settings, if needed. For example, you might use settings similar to the following:
# Require START TLS on port 389
# Require TLS v1.0 or better
Add the following line to /etc/centrifydc/openldap/ldap.conf configuration file:
You should also review and modify other configuration settings, if needed. For example, you might need to change the TIMEOUT value to allow clients to wait an appropriate number of seconds for a response:
Restart the Centrify OpenLDAP proxy service.
sudo /usr/share/centrifydc/bin/centrify-ldapproxy start -h ldaps:///
Test operation by running an OpenLDAP command, such as ldapsearch.
/usr/share/centrifydc/bin/ldapsearch -x -H ldaps://localhost:636 -b 'cn=users,dc=win2012,dc=test' -D firstname.lastname@example.org -W "(cn=test_user)"
To confirm that TLSv1.2 is being used, use openssl s_client to connect to the slapd. For example, enter:
$ openssl s_client -connect localhost:636 -showcerts -state -CAfile /etc/centrifydc/openldap/cacert.pem
Review the output from the previous command and confirm that the protocol is TLSv1.2, as shown here:
Protocol : TLSv1.2
- (Optional) Alternatively, to confirm that TLSv1.2 is used, run a software tool like Wireshark to capture and inspect the ldapsearch traffic.