Re: [OpenXPKI-users] How to configure an LDAPS connection to a MSFT AD

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

The very likely reason is, that reading of docs is better then using AI....

https://openxpki.readthedocs.io/en/master/configuration/realm.html#authentication

On 12/5/25 16:19, Alexander Dersch via OpenXPKI-users wrote:
> Hello,
>
> I am having problems with the user authentication via LDAPS to an MSFT Active Directory. The problems is that I do not see any packets reaching the AD server from the OpenXPKI server. The openssl s_client -connect dc01.linuxlab.lan:636 -showcerts </dev/null test was successful. What do I miss? Thanks in advance.
>
> Alex
>
> The OpenXPKI system is installed as container on a RHEL 9 system.
> I have configured so far the stack.yaml config as follows
>
> # --- Linuxlab AD stack ---
>
> linuxlab_ad_user:
>      label: Linuxlab AD Login - Users
>      description: "Login using AD account (User-Cert-Eligible)"
>      handler:
>        - ldap_linuxlab_user
>      type: passwd
>
> linuxlab_ad_ra:
>      label: Linuxlab AD Login - Cert Managers
>      description: "Login using AD account (PKI-CertManagers – approvals)"
>      handler:
>        - ldap_linuxlab_ra
>      type: passwd
>
> # --- End Linuxlab AD stack —
>
> and the handler.yaml as follows
>
> ldap_linuxlab_user:
>    type: Password
>    label: "Linuxlab AD (Users - certificate enrollment)"
>    class: OpenXPKI::Server::Authentication::LDAP
>    role: User
>    param:
>      host: dc01.linuxlab.lan
>      port: 636
>      base: "DC=linuxlab,DC=lan"
>
>      binddn: "CN=svc-openxpki-ldap,OU=PKI-Service-Accounts,OU=PKI,DC=linuxlab,DC=lan"
>      password: "AbcarCBScGEFu6cjk*"
>
>      # User lookup
>      filter: "(&(sAMAccountName=[% login %])(memberOf=CN=User-Cert-Eligible,OU=PKI-Groups,OU=LinuxLab-Groups,DC=linuxlab,DC=lan))"
>
>      # TLS behaviour – adjust to your DC setup
>      use_tls: 1      # ldaps on 636
>      starttls: 0     # change to 1 if you use StartTLS on 389
>      timeout: 10
>      verify: require
>      cafile: /etc/openxpki/local/certs/linuxlab/ad-ca-chain.pem
>
> ldap_linuxlab_ra:
>    type: Password
>    label: "Linuxlab AD (Users - certificate enrollment)"
>    class: OpenXPKI::Server::Authentication::LDAP
>    role: RA Operator
>    param:
>      host: dc01.linuxlab.lan
>      port: 636
>      base: "DC=linuxlab,DC=lan"
>
>      binddn: "CN=svc-openxpki-ldap,OU=PKI-Service-Accounts,OU=PKI,DC=linuxlab,DC=lan"
>      password: "AbcarCBScGEFu6cjk*"
>
>      # User lookup
>      filter: "(&(sAMAccountName=[% login %])(memberOf=CN=PKI-CertManagers,OU=PKI-Groups,OU=LinuxLab-Groups,DC=linuxlab,DC=lan))"
>
>      # TLS behaviour – adjust to your DC setup
>      use_tls: 1      # ldaps on 636
>      starttls: 0     # change to 1 if you use StartTLS on 389
>      timeout: 10
>      verify: require
>      cafile: /etc/openxpki/local/certs/linuxlab/ad-ca-chain.pem
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openxpki-users

-- 
Protect your environment -  close windows and adopt a penguin!