Directory Sync - LDAPS

Hi,

We are in the process of migrating from LDAP -> LDAPS, on one of our primary domains.
Due to the fact that we dont have an PKI / CA issuer present in the enviroment, we have used Powershell to create a self-signed certificate.

This also means that in the cert chain, our CA and Certificate is the same / the CA is not present.
So we also disabled the “SSL Verify hostname”, on the Directory sync settings page at duo.com

Currently we are facing the issue, that we cant enable LDAPS, since the website reports the error “The directory server credentials were rejected.”
In the authproxy.txt logfile, its breaks with an OpenSSL error: “OpenSSL.SSL.Error: [(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)]”

According to DUO´s documentation, we have tried the following:
1. Upgrading to the latest DUO build
2. Tried with an *.domain.local certificate
3. Tried with an DCName.domain.local certificate (https://help.duo.com/s/article/2220?language=en_US)
4. Trusted the selfsigned certificate, in the Windows Cert store on the server, where DUO Auth proxy is installed.

So the million dollar question:
How can we setup LDAPS from the Auth Proxy -> Domain controller, while using an self signed certificate?

Thanks for being a Duo (not DUO) customer!

It sounds like you are trying to modify an existing AD Sync config to use LDAPS, based on your mention of unchecking the “SSL Verify Hostname” option. Is that the only config you’re trying to migrate to LDAPS, or do you also have [ad_client] or [ldap_server_auto] configuration sections on your proxy server that you want to bump up to LDAPS?

For sync: Did you export the DC’s self-signed cert as a Base-64 encoded X.509 (CER), open it in a text editor, copy the entire contents, and paste that into the “SSL CA certs” field of the sync config? The Authentication Proxy’s local certificate store is not consulted, so the #4 thing you tried wouldn’t have had any effect. Double-check the SSL cert in the Duo Admin Panel sync config.

For future reference, this is a perfect question for our awesome technical support team. If that suggestion didn’t fix your problem, or you have other configs besides directory sync you want to switch to LDAPS, then please contact them for in-depth troubleshooting assistance.

Hi,

Correct - we are trying to change an existing AD Sync, into using LDAPS instead of LDAP.
We do have several other [ad_client] and [ldap_server_auto] configured, but these are already using LDAPS

Forgot to mention that we already exported the certificate, as an Base-64 X.509 CER.
But since its an self-signed certificate, there is no CA chain - only the “Certificate” and the Private key.
We tried this with both *.domain.local, and an DC.domain.local certificate - but it didnt resolve the issue…

We have already created an support ticket, but are in an hurry to fix this issue - so we also created an support ticket.