2

Our application works with Active Directory users and groups. We are using LDAP on port 389 for Active Directory operations. Now, one of our clients want us add an option for using LDAP + SSL for Active Directory communication.

They told us that they have a local CA installed on their domain and using self signed certificate for LDAPS. They also told us that they will provide the certificate, no mutual-trust needed and we should use Windows certificate store.

I have developed a test application for LDAP+SSL operations and saw that server sends its certificate when a client initiates an LDAP+SSL connection. I can establish the connection only by returning true from the server certificate verification method.

The questions are; - Which certificate (root, the ceritificate used for LDAP+SSL...) should the customer give us?

What should be the format of the certificate for working on .Net environment?

How should I verify the server's certificate when connecting the server?

What they mean by "we should use Windows certificate store"? Do they want us add the server's certificate automatically to trusted certificate store of the local machine?

Sample code I used for LDAP+SSL connection,

LdapConnection _connection = new LdapConnection(new LdapDirectoryIdentifier(m_DomainName, m_PortNo));
_connection.Timeout = TimeSpan.FromMinutes(10);
_connection.AuthType = AuthType.Basic;
_connection.Credential = new NetworkCredential(m_UserName, m_Password);

_connection.SessionOptions.ProtocolVersion = 3;
_connection.SessionOptions.SecureSocketLayer = true; 

_connection.SessionOptions.VerifyServerCertificate = (ldapCon, serverCertificate) =>
{
   //TODO: Verify server certificate
   return true;
};
_connection.SessionOptions.QueryClientCertificate = (con, trustedCAs) => null;

_connection.Bind();
NthDeveloper
  • 969
  • 8
  • 16

2 Answers2

5

Which certificate (root, the ceritificate used for LDAP+SSL...) should the customer give us?

The root certificate that signed the LDAP server cert. They can also give you the whole chain in advance, but that will be sent during TLS handshake anyway. You only need to have the root cert in advance.

What should be the format of the certificate for working on .Net environment?

Anything that you can import into certmgr.msc. Pfx is the usual choice on Windows.

How should I verify the server's certificate when connecting the server?

You should not write validation yourself. Certificate validation is tricky business, and it's already done for you. Use the built-in stuff (also see below).

What they mean by "we should use Windows certificate store"? Do they want us add the server's certificate automatically to trusted certificate store of the local machine?

Yes. They send you the root cert they used for signing the ldap server cert, which you can then import as a trusted root. Once this is done, you don't need to do any manual validation, it will just work™ :) with valid certificates and will not work with invalid ones.

Note that once you add their root cert as trusted, they can forge any server certificate for the client their root is installed on, and anything they sign will be considered valid on that client.

Bonus: adding semi-custom validation and debugging certificate errors

One problem that you may face is that error messages are not very helpful. If the certificate cannot be validated, you will get a very generic error message that has no hint about the actual problem. You may want to hook into the validation process for other reasons too.

For this purpose, you can define your own validation:

private bool VerifyServerCertificate(LdapConnection ldapConnection, X509Certificate certificate)
{
    X509Certificate2 certificate2 = new X509Certificate2( certificate );
    return certificate2.Verify();
}

And then add it to the ldap connection:

_connection.SessionOptions.VerifyServerCertificate = 
    new VerifyServerCertificateCallback( VerifyServerCertificate );

This way you can catch exceptions on Verify() etc. But again, if the certificate is valid (can be verified by the client), this is not strictly needed, it's done automatically anyway. You only need this if you want something not implemented, like for example you could just return true in VerifyServerCertificate to accept any cert including the invalid ones (this would be a Bad Idea and makes a secure connection useless, but may be good for debugging, etc).

Another thing you could implement in this method is certificate pinning for additional security, but that's beyond the scope of this answer.

Gabor Lengyel
  • 14,129
  • 4
  • 32
  • 59
2

BTW: Since introduction of the StartTLS extended operation for LDAP v3 in May 2000 (RFC 2830) LDAPS (made for LDAP v2) is deprecated.

marabu
  • 1,166
  • 7
  • 9