Skip to main content
Skip table of contents

How to change from LDAP to LDAPS on the Portal appliance? 

Question:


How can secure LDAP access be enabled on the Portal?

When enabling Active directory over SSL and changing the corresponding port to 636 an error is received that the connection has failed (failed to connect to).

Answer:

In some cases you have to verify connectivity and valid certificates are introduced into the Appliance with the steps below.

Steps:

NOTE: Replace any "nxtsvr001dc.nxtsuplab.loc" or "nxtsvr001dc" with the corresponding AD server for this procedure.

 

Verify connectivity to the DC on the LDAPS port from the portal CLI:

CODE 
nc -vz -w 1 nxtsvr001dc.nxtsuplab.loc 636
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 172.19.1.201:636.
Ncat: 0 bytes sent, 0 bytes received in 0.02 seconds.

Pull the AD server certificate and verify there is one present in the section -BEGIN CERTIFICATE- and -END CERTIFICATE

CODE 
openssl s_client -host nxtsvr001dc.nxtsuplab.loc -port 636 -prexit -showcerts

If so, export it to a file named ADserver.pem

CODE 
echo | openssl s_client -connect nxtsvr001dc.nxtsuplab.loc:636 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >ADserver.pem

If not, then please follow up with the administrator of the AD server

NOTE: if there are multiple certificates (rootCA and intermediates) presented in the first command you may need to also import these in the Java keystore. See the end of this doc on how to export them from the LDAPS server.

Verify the information in the certificate is valid.

CODE 
openssl x509 -text -in ADserver.pem

Stop the portal:

CODE 
sudo systemctl stop nxportal

Import the ADserver certificate into the keystore.

NOTE: Change the alias to something else which corresponds to your environment.

CODE 
sudo sh /var/nexthink/portal/security/import_certificate.sh -alias nxtsvr001dc -file /home/nexthink/ADserver.pem -storepass changeit

Sample output:

CODE 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::: Nexthink Certificate import script version 08.06.rev001 ::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Owner: CN=NXTSVR001DC.nxtsuplab.loc
Issuer: CN=NXTSVR001DC.nxtsuplab.loc
Serial number: 53a0747786ba12b442f61c3580ef6383
Valid from: Tue Oct 22 11:27:29 CEST 2019 until: Thu Oct 22 02:00:00 CEST 2020

Certificate fingerprints:

         MD5:  55:91:28:A7:4B:16:5D:B3:DA:C6:1D:3B:1B:1C:5F:C5
         SHA1: 13:CC:9D:39:51:93:DA:CF:73:AD:F4:15:DA:3E:DD:7E:70:53:97:23
         SHA256: 3D:2F:B1:05:B5:47:68:16:AE:50:0A:95:7A:B7:30:17:23:B0:9B:4E:13:1A:5C:CC:C9:15:F2:CB:5B:FF:D9:BE

Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 2.5.29.37 Criticality=false

ExtendedKeyUsages [
  serverAuth
]

#2: ObjectId: 2.5.29.15 Criticality=false

KeyUsage [
  Key_Encipherment
  Data_Encipherment
]

Trust this certificate? [no]:  yes

Certificate was added to keystore

Start the portal:

CODE 
sudo systemctl start nxportal

Go back to the portal’s webconsole and test your connection on port 636

To export all the certificates from the LDAPS service, the following example can be used:

Get the chain up to 5 levels.

Note: Replace YOURLDAPS_SERVER for the FQDN of your LDAPS server

CODE 
openssl s_client -showcerts -verify 5 -connect YOURLDAPS_SERVER:636 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".pem"; print >out}'

Rename to their CN Field name:

CODE 
for cert in *.pem; do newname=$(openssl x509 -noout -subject -in $cert | sed -n 's/^.*CN=\(.*\)$/\1/; s/[ ,.*]/_/g; s/__/_/g; s/^_//g;p').pem; mv $cert $newname; done

This should get all certificates and convert them for import later in the Java keystore.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close