Confirming a Domain Controller has working LDAPS enabled | Osirium How To (2024)

Summary

This article has been created to help you check if LDAPS is working. Although from release 7.5.2, LDAP is supported, we still recommend that LDAPS is used for communication between Osirium PAM and your Active Directory.

Using LDAP will only allow read-only access between Osirium PAM and your Active Directory. This means that you can not change the password of an Active Directory account or create a new account on the Active Directory through Osirium PAM.

This can only be done over LDAPS, hence why Osirium PAM recommends LDAPS to allow full management functionality when using Active Directory.

Applicable Version

Osirium PAM 7.x onwards.

Domain Controller Default

By default Domain Controller(s) listen over LDAP but not LDAPS. They do however still have an active socket listening on the LDAPS port (TCP 636) but by default, this does not function correctly.

To function correctly the Domain Controller(s) require a certificate (with 'Server Authentication' enabled) to be installed.

This happens automatically for all Domain Controllers if there is a Microsoft Certificate Authority role installed somewhere in the domain and it is configured with an Enterprise Root certificate.

To enable LDAPS on a Domain Controller using a self-signed certificate and without installing the Microsoft Certificate Authority role in the Domain see here (Osirium Support account required).

‍

Testing LDAPS

It is not sufficient to only check if the Domain Controller is listening on the LDAPS port (TCP 636), you also need to confirm if LDAPS is working.

To verify if LDAPS has been configured on your Domain Controller and is functioning correctly, perform the following steps on each Domain Controller that Osirium PAM will need to communicate with:

1. RDP onto the Domain Controller

2. Open the Run dialogue box and run the ldp.exe application.

3. Within the Ldp window, click the Connection menu and select Connect...

4. Within the Connect window, fill in the details as shown below.

5. Click OK.

6. If the server is correctly configured for LDAPS then line 5 of the output (you might need to scroll up) will show that the host supports SSL.

If the host is NOT configured for LDAPS then the following will be shown.

If you are running PAMv7.x then you will not be able to connect to the Domain Controller.

If you are running PAMv8.x you can configure SASL over LDAP as an alternative to LDAPS, however LDAPS is the recommended option.