Updating the Centrify OpenLDAP proxy computer

After you have prepared the domain controller with the policy for certificate auto‑enrollment, you can use the following steps to provide the required certificate, private key, and certification authority.

  1. Verify the computer where you are running the Centrify LDAP proxy service is joined to an Active Directory domain.
  2. Change to the directory where certificates for auto-enrollment are located.

    cd /var/centrify/net/certs/

    You should see files similar to the following listed in the directory:

    auto_LDAPProxy.cert
    auto_LDAPProxy.chain
    auto_LDAPProxy.key
    trust_41DFF689876FCE52E02EE73FC7E3782964DC54BB.crl
    trust_F7842B2A65489F15A1722518E41F5E6B0F4FBC5E.cert
  3. Run an openssl command similar to the following to create the certificate:

    openssl pkcs7 -in auto_LDAPProxy.chain -text -out auto_LDAPProxy_CA.pem ‑print_certs
  4. Add the following lines to /etc/centrifydc/openldap/slapd.conf configuration file. Comment out the old TLSCipherSuite line, as shown here.

    TLSCertificateFile /var/centrify/net/certs/auto_LDAPProxy_CA.pem
    TLSCertificateFile /var/centrify/net/certs/auto_LDAPProxy.cert
    TLSCertificateKeyFile /var/centrify/net/certs/auto_LDAPProxy.key
    TLSCipherSuite TLSv1.2
    # TLSCipherSuite SSLv3

    You should also review and modify other server configuration settings, if needed. For example, you might use settings similar to the following:

    # Require START TLS on port 389
    security tls=1
    # Require TLS v1.0 or better
    TLSProtocolMin 3.1
    TLSVerifyClient try
  5. Add the following line to /etc/centrifydc/openldap/ldap.conf configuration file:

    TLS_CACERT /var/centrify/net/certs/auto_LDAPProxy_CA.pem

    You should also review and modify other configuration settings, if needed. For example, you might need to change the TIMEOUT value to allow clients to wait an appropriate number of seconds for a response:

    TIMEOUT 15
  6. Restart the Centrify OpenLDAP proxy service.

    sudo /usr/share/centrifydc/bin/centrify-ldapproxy start -h ldaps:///
  7. Test operation by running an OpenLDAP command, such as ldapsearch.

    /usr/share/centrifydc/bin/ldapsearch -x -H ldaps://localhost:636 -b 'cn=users,dc=win2012,dc=test' -D administrator@win2012.test -W "(cn=test_user)"
  8. To confirm that TLSv1.2 is being used, use openssl s_client to connect to the slapd. For example, enter:

    $ openssl s_client -connect localhost:636 -showcerts -state -CAfile /etc/centrifydc/openldap/cacert.pem
  9. Review the output from the previous command and confirm that the protocol is TLSv1.2, as shown here:

    ...
    SSL Session:
    Protocol : TLSv1.2
  10. (Optional) Alternatively, to confirm that TLSv1.2 is used, run a software tool like Wireshark to capture and inspect the ldapsearch traffic.