mirror of
http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/selfhosting-blogposts.git
synced 2025-05-16 20:27:00 +00:00
232 lines
9.5 KiB
Markdown
232 lines
9.5 KiB
Markdown
---
|
|
search:
|
|
exclude: true
|
|
---
|
|
# Windows Server 2019 LDAPS Setup
|
|
|
|
|
|
|
|
LDAPS basically is adding a SSL Layer to the previous LDAP connections that are available on port tcp/389 for Windows Servers, the LDAPS protocol instead uses port tcp/636 and requires a Certificate Authority (CA).
|
|
|
|
## **Initial Requirements**
|
|
|
|
To make use of this tutorial you will need a working WS2019 server, and with DNS + AD working on it, you can check [this](../w5/index.md) tutorial to get it done.
|
|
|
|
Now with this we can test the ldap default port (389) on our WS2019 server (10.0.0.204)
|
|
|
|
|
|
[ 10.0.0.10/16 ] [ /dev/pts/45 ] [~]
|
|
→ ping 10.0.0.204
|
|
PING 10.0.0.204 (10.0.0.204) 56(84) bytes of data.
|
|
64 bytes from 10.0.0.204: icmp_seq=1 ttl=128 time=1.01 ms
|
|
64 bytes from 10.0.0.204: icmp_seq=2 ttl=128 time=1.59 ms
|
|
64 bytes from 10.0.0.204: icmp_seq=3 ttl=128 time=1.48 ms
|
|
64 bytes from 10.0.0.204: icmp_seq=4 ttl=128 time=0.924 ms
|
|
^C
|
|
--- 10.0.0.204 ping statistics ---
|
|
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
|
|
rtt min/avg/max/mdev = 0.924/1.249/1.592/0.289 ms
|
|
|
|
[ 10.0.0.10/16 ] [ /dev/pts/45 ] [~]
|
|
→ nmap -p389 10.0.0.204
|
|
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-28 12:34 CEST
|
|
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
|
|
Nmap done: 1 IP address (0 hosts up) scanned in 3.07 seconds
|
|
|
|
[ 10.0.0.10/16 ] [ /dev/pts/45 ] [~]
|
|
→ nmap -p389 10.0.0.204 -Pn
|
|
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
|
|
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-28 12:34 CEST
|
|
Nmap scan report for 10.0.0.204
|
|
Host is up (0.00100s latency).
|
|
|
|
PORT STATE SERVICE
|
|
389/tcp open ldap
|
|
|
|
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
|
|
|
|
|
|
|
|
Now we know that the ldap port is open on our windows server host, you can try to log into it using the openldap package's ldapsearch utility and retrieve some infos. If you setup your own AD you know at least the ip of the server (10.0.0.204), the domain name (nowhere.local) and one user's credentials (nowhere:password):
|
|
|
|
|
|
[ 10.0.0.10/16 ] [ /dev/pts/45 ] [~]
|
|
→ ldapsearch -H ldap://10.0.0.204:389 -b dc=nowhere,dc=local -D nothing@nowhere.local -W
|
|
|
|
|
|
|
|
## **LDAPS Setup**
|
|
|
|
From here we go install the Active Directory Certificate Services on our WS2019 host:
|
|
|
|
            
|
|
|
|
So that's our result:
|
|
|
|
|
|
|
|
Then let it configure, and then we will able to use ldaps on port 636.
|
|
|
|
|
|
|
|
We can verify the ldaps port is opened with the following nmap command:
|
|
|
|
|
|
[ 10.0.0.10/16 ] [ /dev/pts/46 ] [~]
|
|
→ nmap -p389,636 10.0.0.204 -Pn -sCV
|
|
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
|
|
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-28 15:25 CEST
|
|
Nmap scan report for 10.0.0.204
|
|
Host is up (0.00090s latency).
|
|
|
|
PORT STATE SERVICE VERSION
|
|
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: nowhere.local0., Site: Default-First-Site-Name)
|
|
636/tcp open tcpwrapped
|
|
Service Info: Host: WIN-LJT7MG0NF5R; OS: Windows; CPE: cpe:/o:microsoft:windows
|
|
|
|
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
|
Nmap done: 1 IP address (1 host up) scanned in 11.74 seconds
|
|
|
|
|
|
|
|
the ldaps port is opened, however we still need to reboot our WS2019 VM:
|
|
|
|
|
|
|
|
## **Testing the LDAPS connection**
|
|
|
|
However most importantly we need to check if other hosts on the local network can see the new certificate correctly, so before we check that, let's check if we can check our own certificate from the windows server host:
|
|
|
|
  
|
|
|
|
So we are able to see our own LDAPS SSL certificate:
|
|
|
|
|
|
|
|
So now we need to stee if pfsense can see the ldaps SSL certificate:
|
|
|
|
To do so we can use the 'ldapsearch' tool available in the [openldap package ](https://command-not-found.com/ldapsearch):
|
|
|
|
|
|
[ 10.0.0.10/16 ] [ /dev/pts/45 ] [~]
|
|
→ sudo pacman -S openldap
|
|
[sudo] password for nothing:
|
|
resolving dependencies...
|
|
looking for conflicting packages...
|
|
|
|
Package (1) New Version Net Change Download Size
|
|
|
|
core/openldap 2.4.57-1 4.15 MiB 1.42 MiB
|
|
|
|
Total Download Size: 1.42 MiB
|
|
Total Installed Size: 4.15 MiB
|
|
|
|
:: Proceed with installation? [Y/n] y
|
|
|
|
|
|
[ 10.0.0.10/16 ] [ /dev/pts/45 ] [~]
|
|
→ which ldapsearch
|
|
/usr/bin/ldapsearch
|
|
|
|
|
|
|
|
|
|
[ 10.0.0.10/16 ] [ /dev/pts/45 ] [~]
|
|
→ openssl s_client -showcerts -connect 10.0.0.204:636
|
|
CONNECTED(00000003)
|
|
Can't use SSL_get_servername
|
|
depth=0 CN = WIN-LJT7MG0NF5R.nowhere.local
|
|
verify error:num=20:unable to get local issuer certificate
|
|
verify return:1
|
|
depth=0 CN = WIN-LJT7MG0NF5R.nowhere.local
|
|
verify error:num=21:unable to verify the first certificate
|
|
verify return:1
|
|
depth=0 CN = WIN-LJT7MG0NF5R.nowhere.local
|
|
verify return:1
|
|
---
|
|
Certificate chain
|
|
0 s:CN = WIN-LJT7MG0NF5R.nowhere.local
|
|
i:DC = local, DC = nowhere, CN = nowhere-CA
|
|
-----BEGIN CERTIFICATE-----
|
|
MIIG+zCCBOOgAwIBAgITVQAAAAKR6/iCOHueEQAAAAAAAjANBgkqhkiG9w0BAQ0F
|
|
ADBFMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFzAVBgoJkiaJk/IsZAEZFgdub3do
|
|
ZXJlMRMwEQYDVQQDEwpub3doZXJlLUNBMB4XDTIxMDMyODEzMzMxM1oXDTIyMDMy
|
|
ODEzMzMxM1owKDEmMCQGA1UEAxMdV0lOLUxKVDdNRzBORjVSLm5vd2hlcmUubG9j
|
|
YWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCRQ0d8ZYEYy8es0Dix
|
|
6UDS8fwRRmhZ+TsBRIy8bwrwWYukcRxxo/Vijk1olvi3qS3nK6mZmT25g9zTHbPF
|
|
WalPVWtiZqQUL1dg9FBuzWHTD4+7uXa8KTy6I8ICa9GgfFleP1LzncKPJ/UYtEpT
|
|
MioQfOXz5XmAZqgVIFx3onkdVM9XHYt6T9mnOJMw/JiE9o54z64PCGg/IxcA7ZYV
|
|
lpMdIWhuO92sjhzJ8BEcyLvVrJjpPwlbQ0w46k35KY/j3oOrP01UEw6x+4teuiwn
|
|
bPo72GJQjP9qvKDj9H6sh4bSaue8wA39OlqT5eCYL57kxmIOJ0hSRWC9jIFJlyPK
|
|
GGLVAgMBAAGjggL/MIIC+zAvBgkrBgEEAYI3FAIEIh4gAEQAbwBtAGEAaQBuAEMA
|
|
bwBuAHQAcgBvAGwAbABlAHIwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
|
|
MA4GA1UdDwEB/wQEAwIFoDB4BgkqhkiG9w0BCQ8EazBpMA4GCCqGSIb3DQMCAgIA
|
|
gDAOBggqhkiG9w0DBAICAIAwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglg
|
|
hkgBZQMEAQIwCwYJYIZIAWUDBAEFMAcGBSsOAwIHMAoGCCqGSIb3DQMHMB0GA1Ud
|
|
DgQWBBSr+hTuXL/n4V7mTbXcKgPUQmvA8zAfBgNVHSMEGDAWgBQ1GNjpvSPea8eP
|
|
2DJGHHpmXOz7PTCB0gYDVR0fBIHKMIHHMIHEoIHBoIG+hoG7bGRhcDovLy9DTj1u
|
|
b3doZXJlLUNBLENOPVdJTi1MSlQ3TUcwTkY1UixDTj1DRFAsQ049UHVibGljJTIw
|
|
S2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1u
|
|
b3doZXJlLERDPWxvY2FsP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9v
|
|
YmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvgYIKwYBBQUHAQEEgbEw
|
|
ga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9DTj1ub3doZXJlLUNBLENOPUFJQSxD
|
|
Tj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1
|
|
cmF0aW9uLERDPW5vd2hlcmUsREM9bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29i
|
|
amVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwSQYDVR0RBEIwQKAfBgkr
|
|
BgEEAYI3GQGgEgQQxn6cUfiuyUaEppT8x7iyk4IdV0lOLUxKVDdNRzBORjVSLm5v
|
|
d2hlcmUubG9jYWwwDQYJKoZIhvcNAQENBQADggIBAKMGBpS4aAAAaTdn7CJnRnaD
|
|
jpWDnhO0PBisnOi1xQ/BZv6rqoglLlRSxXEQUSJKbpDPO46/vmQC0TA95fen9SW2
|
|
tWRfWgq6QjnhBiHR9CrJtnZEx+NrDEx93SLWFX4uC5MdEtuVZdE6yaWmMBaz4X+6
|
|
300BvF9hkTY5EWnb/jLtFqm3JhuXX9C5n6Z/3uVfq6RZCkw546Fh26f60Sz3J/c+
|
|
2f3YggzflgAsP5KiApfhzLdpTHG53o7nuO4KJHKC1NL03Swd2DV/sFwyLvK8jxlZ
|
|
r1BhU/8kWXwdof5qHGiSbLBaTVqF0sIoowNKsA2zY9NI3kaPGTHGfl3K7yuF/u5D
|
|
7vpR0x1eBrV5sYOcM0pVwQU5BkghwQ3CF+Opz+WLGCSnyfpxiAVWfKHfb3h4X6X+
|
|
2ZCXuBdoGvHIYOxlrYt1B+HN2PPgoWo9GHtjG/5cLvO6GrDk3LID+/CfRcXZ7ec/
|
|
yl0BDrTAhjJgvRtGOkalEa8tASdDpvqNPaC2oNdiIpL51y0UPlpJzaHpmBLhw134
|
|
gbqDMCUQcmGezs5jKv0COSj49VEGGqwn+jkuNfUd77Z2uj+o9+nyanbVebegt0ha
|
|
HI9ABZer/1lGSE8IQu/bu36eRyXvy1SkKEtnvep7gi2Jea0ehWMqHnaB+8nTIEAn
|
|
7+Ple+iGS+2VPDYt/Nkg
|
|
-----END CERTIFICATE-----
|
|
---
|
|
Server certificate
|
|
subject=CN = WIN-LJT7MG0NF5R.nowhere.local
|
|
|
|
issuer=DC = local, DC = nowhere, CN = nowhere-CA
|
|
|
|
---
|
|
No client certificate CA names sent
|
|
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
|
|
Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
|
|
Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
|
|
Peer signing digest: SHA256
|
|
Peer signature type: RSA
|
|
Server Temp Key: ECDH, P-384, 384 bits
|
|
---
|
|
SSL handshake has read 2341 bytes and written 463 bytes
|
|
Verification error: unable to verify the first certificate
|
|
---
|
|
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
|
|
Server public key is 2048 bit
|
|
Secure Renegotiation IS supported
|
|
Compression: NONE
|
|
Expansion: NONE
|
|
No ALPN negotiated
|
|
SSL-Session:
|
|
Protocol : TLSv1.2
|
|
Cipher : ECDHE-RSA-AES256-GCM-SHA384
|
|
Session-ID: 6C380000DE31D09F82EC8C531A3EC2F49F690C7DD3729D1678B2399207149AC4
|
|
Session-ID-ctx:
|
|
Master-Key: 9581A15DB6A1D6FC3EF0D114B9FF19AE73E3676493EB75738BD1A81A310F6C391D0FB1354A61668ED33E9D9590F3BE65
|
|
PSK identity: None
|
|
PSK identity hint: None
|
|
SRP username: None
|
|
Start Time: 1616939581
|
|
Timeout : 7200 (sec)
|
|
Verify return code: 21 (unable to verify the first certificate)
|
|
Extended master secret: yes
|
|
---
|
|
|
|
|
|
|
|
And that's it! We have been able to setup the LDAPS protocol on Windows Server 2019
|
|
|