Authenticating users with LDAPS
- Jorge Olmos (Unlicensed)
LDAPS is LDAP over TLS / SSL. It establishes a secure connection before any communication with the ldap server is performed, and it does not provide any mechanism to fallback to an unsecure connection, like startTLS does, which has been used to perform MITM attacks. It performs server authentication, and protects communication from eavesdropping and tampering with encryption.
Since flexVDI manager 3.1.4 LDAPS is supported to perform user authentication.
flexVDI manager is the piece of software that performs user authentication against a Directory in flexVDI. If you are using a LDAPS (ldap protocol over TLS) connection, flexVDI Manager will refuse to connect to the server if it does not trust the server.
Certificates trusted by flexVDI manager
flexVDI Manager trusts the default CA certificates trusted by JVM programs, stored in /etc/pki/java/cacerts. If you have bought a certificate for your ldap server, and it is signed by one of the CAs in that file, it will be automatically trusted by flexVDI Manager. Otherwise you will get an error message like this when testing from flexVDI Dashboard:
Authentication test failed: Failed to communicate with the LDAP server at ldap.example.com:636.ldap.example.com:636
If you get an error like this, you have to instruct flexVDI Manager to trust the certificate of your server.
Usually organizations generate its own certificates for its internal servers, and install their CA or server certificates in their systems. /etc/pki/java/cacerts will be overwritten when updating flexVDI Manager, so it is not a good place to store additional certificates.
flexVDI Manager will also trust the certificates stored in a PKCS12 file in /flexvdi/external/manager/trustedCerts.p12. This file will persist software updates, so users can store here their CA certificate, or their ldap server certificate here. This file follows the PKCS12 standard format for storing data.
Getting the certificate of your ldap server/CA in your flexVDI Manager
If you already have the certificate stored somewhere, you can move it to your flexVDI Manager with:
$ scp my_ldap.crt root@${FLEXVDI_MANAGER}:/root # Use the same password you use for admin in flexVDI Dashboard
You can get the certificate of a server, and some more information with the following command:
openssl s_client -connect {HOSTNAME}:{PORT} -showcerts
Then you can edit the output to extract the certificate. Or alternatively, you can get the certidicate in one single command with:
openssl s_client -showcerts -connect {HOSTNAME}:{PORT} </dev/null 2>/dev/null|openssl x509 -outform PEM > my_ldap.crt
Managing trusted certificates in flexVDI manager
The trustedCerts.p12 store is initially empty, without certificates in it. flexVDI Manager comes with the command "keytool" installed, that allows you to store your certificates in the trustedCerts.p12 file. It accepts X.509 v1, v2, and v3 certificates in binary or PEM formats. You can add one certificate (your ldap server certificate, or the certificate of the CA that signed it) to trustedCerts.p12 with:
[root@manager manager]# keytool -keystore /flexvdi/external/manager/trustedCerts.p12 -storepass flexvdi -importcert -file my_ldap.crt -alias myldap ... # You will be asked: Trust this certificate? [no]: yes # Answer yes, and the certificate will be added to the PKCS12 trustedCerts.p12
Now you can see the contents with:
[root@manager manager]# keytool -keystore /flexvdi/external/manager/trustedCerts.p12 -storepass flexvdi -list
Then restart your flexvdi-manager to apply the changes with:
[root@manager manager]# systemctl restart flexvdi-manager
It is important not to change the store password, which is set to flexvdi, as flexVDI manager will use it to open trustedCerts.p12.