Unable to configure the search appliance and Active Directory to use SSL
Summary: When configuring the search appliance to use Active Directory to authenticate users and/or resolve groups via LDAP, you should enable SSL to prevent credentials from being passed in plain text.
Cause: There are two reasons why it may not be possible to configure SSL between the search appliance and Active Driectory:
- There is no SSL certificate installed on the Active Directory domain controller .
- The certificate is not trusted by the search appliance.
Troubleshooting Steps: Check if the Domain Controller has certificate installed. To do this run the following openssl command:
$ openssl s_client -connect example.com:636
If the connection is immediately closed as pictured above, it means Active Directory doesn't have a certificate installed. You can verify this on the domain controller - Event Viewer / Windows Logs / System / Event 36886 will be present.
Fix: Complete the following steps to configure SSL between Active Directory and the search appliance:
If no SSL certificate is installed, engage your AD administrator to install SSL certificate
Import certification authority certificate on the search appliance. To establish trust between the search appliance and the certification authority which issued your certificate you need to install the certificate of your certification authority on the search appliance - you can do this in Administration > Certificate Authorities > Add more Certificate Authorities in the Admin Console.
Once both steps are completed you will be able to configure LDAP communication for either "Start TLS" when using port 389 or SSL when using port 636 in LDAP configuration.