This document provides information and instructions for setting up Lightweight Directory Access Protocol (LDAP) authentication in CABI 3.x using Secure
Socket Layer (SSL).
This guide follows the typical chronological order of setting up an SSL LDAP configuration. However, if some of the steps are already done, they can be
This document assumes that LDAP over non-SSL works perfectly fine (meaning, all the bind/base/group-mapping/search parameters etc., work fine when LDAP
With LDAP over non-SSL working, the only other change is to implement SSL over LDAP following the steps in this document.
Obtain certutil and setup environment:
Certutil is a utility provided by Mozilla (previously this was obtained as part of the Netscape web browser) Mozilla has provided a FTP site to download
the Certutil which uses binaries and libraries from NSS & NSPR.
Navigate to the below URL:
- The above link shows platform specific NSS binaries (version 3.11). Click on "WINNT5.0_OPT.OBJ" folder
- Download the file "nss-3.11.zip" and extract the zip file to a directory (i.e. C:\Temp)
- You should see the below structure (i.e. C:\Temp\nss-3.11)
- Navigate to the below URL:
- The above link shows platform specific NSPR binaries (version 4.4.1). Click on "WINNT5.0_OPT.OBJ" folder
- Download the file "nspr-4.4.1.zip" and extract the zip file to a directory (i.e. C:\Temp)
- You should see the below structure (i.e. C:\Temp\nspr-4.4.1)
- Open a command prompt and navigate to the C:\Temp\nss-3.11\bin folder
- On this command prompt, set the PATH environment variable as below:
- Running the certutil.exe command should display the various options supported by the certutil executable.
Create the cert database
Cert8.db and Key3.db files
The cert8.db and key7.db files are created and managed using Certutil.
From the command line, you create a new cert8/key3 set using the following command:
certutil -N -d .
The command will prompt you for a password (it is not that important, so you can type something simple like "password"). Remember to use the same password
for all of your keystores.
This command creates a cert8.db, key3.db, and secmod.db file. You will only need the first two. Once the keystore is created, you can add your CA
certificate to it:
certutil.exe -A -n cert-name -t trustargs [-d certdir] [-i File]
certutil -A -n "MyCA" -t "CT" -d . -i cacert.cer
The "MyCA" parameter does not matter and does not need to be customized. The C and T attributes are explained in the output below.
C:\>certutil -A -n "MyCA" -t "CT" -d . -i cacert.cer
C:\>certutil -L -d .
Certificate Name Trust Attributes
p Valid peer
P Trusted peer (implies p)
c Valid CA
T Trusted CA to issue client certs (implies c)
C Trusted CA to certs(only server certs for ssl)(implies c)
u User cert
w Send warning >
Once the CA certificate is added as a trusted CA, this keystore is finished.
Cacerts keystore file
Note: Ensure that cert8.db, key7.db and cacerts files are in the same directory after the below steps are followed. If they are not in the same directory,
LDAP bind is usually not successful.
Creating the cacerts keystore using Keytool, which is required by the CABI Infoview application, is described below.
The creation of the keystore (called "cacerts") and importing of the CA certificate is performed with one command:
keytool -import -v -alias MyCA -file certnew.cer -trustcacerts -keystore cacerts
You can verify that the import was successful using the following command:
keytool -list -v -keystore cacerts
Configuring LDAP in the CMC
The client certificate is required only for mutual authentication. However, you would address this when you retrieve the CA certificate.
Connecting to LDAP
- Type the host name and SSL port (usually 636) of your LDAP server and click on Add. Click Next.
- Select the appropriate LDAP server type or specify custom attribute mappings.
- Type the base DN for your LDAP server (i.e. 'dn=itg, dc=local'). You need to know the exact syntax of the LDAP Distinguished Name within the AD Server. You
can use the command dsquery (i.e. dsquery user) on the AD server to obtain this information.
- Type the Distinguished Name and password for the AD Admin account.
- Select Server Authentication from the Type of SSL authentication dropdown list.
- Select the appropriate option for server-side SSL strength.
- Clear the use default value checkboxes for Path to the certificate and key database files and provide
the path to the certificate and key database file.
- Type the path to the cert8.db, key3.db, and cacerts files in the first field.
- Select whether or not to use Siteminder SSO. If selected, configure the Siteminder settings. This configuration is outside the scope of this document.
- You can specify New aliases will be added and new users will be created on the LDAP users and aliases configuration page.
- Click Finish to apply the plugin configuration:
Mapping users and groups
In the LDAP tab of the authenticaton page, add the mappings in the Add LDAP group (by cn or dn) field (i.e.
- Click Update at the bottom of the page. Enterprise will map in the LDAP objects that you have specified.
You can login to CABI Infoview and CMC to verify the LDAP authentication.