topic Re: Schema-free directory settings. Which certificate is meant to be imported in Server Management - Remote Server Management

Schema-free directory settings. Which certificate is meant to be imported

Cederberg — Mon, 04 Dec 2023 02:53:01 GMT

Hi.
We are looking in to using schema-free directory integration instead of the extended schema integration we have been using for years (Active directory).
My question is regarding the Certificate one can import. To me it's not very clear which Certificate we are meant to paste. I'm not a certificate expert and in my experiance different sfotware vendors mean different things when refering to a CA certificate.
Are we meant to import the exact certificate of the active directory server or the root + intermidate certificate which was used to issue/sign the certificate used on the Active directory server (Chain)?
Best Regards
//Cederberg

Re: Schema-free directory settings. Which certificate is meant to be imported

GM_M — Wed, 22 Nov 2023 04:22:53 GMT

Hi Cederberg ,

I hope this guide helps you to import CA certificate https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=sd00001038en_us&page=GUID-03624D12-0B38-4C91-A64C-A76ADC362207.html

I hope even this Video might be a bit of help
https://support.hpe.com/hpesc/public/videoDisplay?videoId=vtc00000858en_us

You need to import a CA signed certificate which is Signed from the Active Directory in your case.

Thanks and Regards,
Manoj.

Re: Schema-free directory settings. Which certificate is meant to be imported

Cederberg — Wed, 22 Nov 2023 07:05:48 GMT

Hi GM_M
I may be wrong here but the first link is to add a Web certificate to the ilo it self. The certificate i'm asking about is the one thats meant to verify that the LDAPS servers are using vaild certificates. It should be the chain, in our case the intermidiate + root certificate. But in other implementations from other manufacutrers it has been the exact certificate from the domain controller you need to point directly to.
In this link it only says import a new CA certificate
https://support.hpe.com/hpesc/public/docDisplay?docId=sd00002007en_us&page=GUID-D7147C7F-2016-0901-06D0-000000000D16.html
So im confused as to what certificate to use. I know i can skip importing a certificate and it will not verify the LDAPS certificate but that will lower the security implemented as it will accept any certificate then.

Regards
//Cederberg

Re: Schema-free directory settings. Which certificate is meant to be imported

Rama2 — Wed, 29 Nov 2023 07:24:12 GMT

Kindly try to import the root certificate of the AD (Active Directory) in order to work.

Re: Schema-free directory settings. Which certificate is meant to be imported

Cederberg — Wed, 29 Nov 2023 07:34:47 GMT

Hi.

I have got it to work by importing the intermidiate+root certificate from our CA that also signs the Active directory servers LDAPS certificates.
The test still flags a warning Certificate subject Mismatch, verify OK.
As the intermidiate+ root CA is only the chain for the active directory certificates it makes sence.
I also tried setting the LDAP server setting to a specific Domain controller instead of the dns roundrobin for the domain and import the certificate for that server but the test cam up with the same warning. Looking at the certificate that i imported it did not report a subject either. So i guess if i want it to work with no warning i need to get a new certificate with either a wildcard *.domainname or point to a specific domaincontroller and get a certificate with that domaincontrollers name in the subject.

Best ragards
Cederberg

Re: Schema-free directory settings. Which certificate is meant to be imported

Rama2 — Fri, 01 Dec 2023 02:55:17 GMT

Yes, obtaining a wildcard certificate for *.domainname or obtaining a certificate specifically for the intended Domain Controller, with the Domain Controller's name included in the subject field, might eliminate the warning and ensure seamless LDAPS functionality. If you still encounter any issues, kindly raise a ticket with HPE for further troubleshooting