LDAPS is the way we are going to set up LDAP connections in the future.
ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
This document will focus on (re)configuring Juniper Networks’ SRX Firewalls to use LDAPS instead of LDAP and it is divided into 2 parts:
When handling an existing Juniper SRX LDAP, it is best to first test the LDAPS separately from the currently used LDAP connections. In this way, there is no impact for the customer.
1) Check the current LDAP configuration. For this connect via SSH to the device and configure a new LDAP access profile and a new AD setting. You will need to replace these variables in the configuration below:
2) User ID Service
Configure the user ID service to query the domain controllers. You will need to replace these variables in the below configuration:
3) Check if you can establish a connection to AD checking logs and the following commands:show services user-identification active-directory-access domain-controller status
show services user-identification authentication-table authentication-source active-directory. And you can check using wireshark to make sure that the connection is being encrypted.
4) Should the connection give an error, then either there is an issue with the certificate or with the communication between AD and Firewall. Normally the root CA certificate should already be in the trusted list (as this is an existing installation), but you can always check and if necessary, import the new CA. Also, make sure that the AD allows LDAPS.
5) Now that the connection has been modified you can remove the old configuration, using “delete” command to remove the old LDAP access profile and AD settings.
1) The first step is to install the CA certificate and make sure that is placed as trust Certificate Authority, you can use HTTPS in this step:
Fill the fields above and import the CA certificate. Or use CLI to do it:set security pki ca-profile Root-CA ca-identity CA-Root
set security pki ca-profile Root-CA enrollment url http://[ DC_IP ]:8080/scep/Root/
set security pki ca-profile Root-CA revocation-check use-crl
2) Check the certificate:show security pki ca-certificate
show security pki ca-certificate detail
3) Connect via ssh to the device and configure a new LDAP access profile and a new AD setting.