发表新帖
发表新帖

Change Password in Active Directory using LDAP/PHP/IIS/SSL

前端 未结
关注
3 1843
野趣味
野趣味 2020-12-06 21:27

First of all, this may be less of a programming question and more of a how do I configure LDAPS question, but here goes...

Background Info:

相关标签:
3条回答
  • 面向向阳花
    2020-12-06 22:04

    Did you create a certificate request for the secure Ldap with the correct OIDs?

    here's my inf file:

     [Version] 

 Signature="$Windows NT$ 

 [NewRequest]
 Subject = "CN=my-server.blahblah.com" ; must be the FQDN of host


 Exportable = TRUE  ; TRUE = Private key is exportable
 KeyLength = 4096    ; Common key sizes: 512, 1024, 2048, 
          ;    4096, 8192, 16384
 KeySpec = 1             ; Key Exchange
 KeyUsage = 0xF8     ;  Digital Signature, Non Repudiation, Key Encipherment, Data     Encipherment, Key Agreement
 MachineKeySet = True
 ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
 ProviderType = 12
 RequestType = CMC

 ; Omit entire section if CA is an enterprise CA
 [EnhancedKeyUsageExtension]
 OID=1.3.6.1.5.5.8.2.2
 OID=1.3.6.1.5.5.7.3.1
 OID=1.3.6.1.5.5.7.3.2
 OID=1.3.6.1.5.5.7.3.3
 OID=1.3.6.1.5.5.7.3.4 
 OID=1.3.6.1.5.5.7.3.5 
 OID=1.3.6.1.5.5.7.3.6 
 OID=1.3.6.1.5.5.7.3.7
 OID=1.3.6.1.5.5.7.3.8
 OID=1.3.6.1.5.5.7.3.9
 OID=1.3.6.1.4.1.311.10.3.4 
 OID=1.3.6.1.4.1.311.54.1.2

 [RequestAttributes]
 CertificateTemplate = MySpecialTemplate  ;Omit  line if CA is a stand-alone CA
 SAN="my-server.blahblah.com"

    YOU SHOULD MAKE A TEMPLATE ON THE CA USING THE 2003 (NOT ALL MICROSOFT PRODUCTS CAN UTILIZE 2008 TEMPLATES -- I KNOW STUPID HUH) COPY IT FROM DOMAIN CONTROLLER AND THROW THE KITCHEN SINK AT THE OIDS

    0 讨论(0)
  • 太阳男子
    2020-12-06 22:09

    Just two pieces of advice:

    1. During the AD CS setup, in the Specify Setup Type page, click Enterprise, and then click Next.
    2. AD service is supposed to take himself his own certificate, but if it works like in Windows server 2003, you must reboot the server to make it work. Perhaps just stop and restart the service in W2K8 R2.

    Afer that, you can just try to build a certificate and install it on the AD service account, like you can find it done with ADAM.

    0 讨论(0)
  • 梦毁少年i
    2020-12-06 22:12

    Just make your connection as trust all. Then it will no longer need certificates. Check out javax.net.sslTrustManager.

    0 讨论(0)
 看不清?
提交回复
热议问题