Questions about setting up LTB in Active Directory

[NetworkNecromancer]

Hey there,

I am working to get LTB set up. I work at a school district and we want to get this set up to allow kiddos to change their password.

The base use function of allowing a password reset as long as the current password is known is perfect.

I have this halfway set up on an Ubuntu deployment and integrating it with Active Directory. I am having a couple of issues connecting it to Active Directory. I see that TLS is required as part of the documentation here:

https://self-service-password.readthedocs.io/en/latest/config_ldap.html#active-directory
and
https://ltb-project.org/documentation/active_directory_certificates.html

The certificate for the AD has been created long ago and I imported that into the Debian/Ubuntu file path. I also confirmed that the cipher's "should" match.

I see Apache error logs that it doesn't match. Is there anywhere else to check for this? I followed what I could on the documentation & got stuck.

Any help will be greatly appreciated.

Thanks!

[coudot]

Did you enable debug logs?

[NetworkNecromancer]

I did. I was looking at the logs at /var/log/apache2/error.log.

Is there another place that the debug logs are sent that can give me more info (does it send it to syslog or another file?)

[coudot]

If using Apache, the logs are in the file defined by ErrorLog directive, by default error.log

You should have the full debug of the LDAP connection

[NetworkNecromancer]

Okay, that was helpful thank you.

I think I have this done almost. I found a couple of lines that I configured incorrectly. I appreciate your time.

I got to the point with Windows AD where it will refuse to change the password from Windows AD due to plain text.
When swapping the URI to ldaps://my.domainldapserver.local it refuses to connect. I am nearly certain I have troubleshooted that down to the SSL connection over LDAPS.

The documentation says that for Ubuntu it uses the path /etc/ldap/ldap.conf, the certificate directory referenced in that config file points to /etc/ssl/certs/ca-certificates.crt.

Do you know if that is the correct directory/file to place the root CA cert? Or is there a place that I missed in the documentation?

Again, I greatly appreciate your time.

[coudot]

The best is to install the CA cert on your system with https://manpages.ubuntu.com/manpages/xenial/man8/update-ca-certificates.8.html

[NetworkNecromancer]

Hey coudot,

I got this working. I didn't realize that under the /etc/ldap/ldap.conf there is a variable that is used which is TLS_CACERT needed to be pointed at my root certificate vs the master ca.certificates.crt as soon as I updated this file path it worked.

Thanks so much for pointing me in the correct direction!