our current LDAP Configuration contains several LDAP Endpoints (AD Domains) that connect to the IP Addresses of Domain Controllers.
As you know, Microsoft will soon release Windows Server Security Updates that will disable LDAP and only allow LDAPS on Domain Controllers.
Currently, Domain Controllers enroll their SSL Certificate for Kerberos Authentication (and LDAPS SSL) automatically via Internal PKI.
The Autoenrolled Certificates contain 3 SAN Names: the FQDN of the DC, the FQDN of the AD Domain, the short name of the AD Domain. They do not contain a SAN for the IP Address of the DC.
Given the fact that the LDAP Endpoints only allow for IP Addresses, these questions arise:
1) Does the Kemp LoadMaster allow the LDAPS TLS Handshake, if the SSL Certificate does not contain the IP Address?
2) Does the Kemp LoadMaster verify the SSL Certificate Chain of the presented LDAPS Certificate?
3) If 2) = yes, where can I import the Root Certificate of the Internal PKI, so that it is trusted?
Thank you very much,
1) Yes we will allow the LDAPS even without an IP in the cert. Beyond that, though you can add LDAP endpoints as a FQDN, you just need to make sure you have a valid DNS entry so the LoadMaster can resolve it.
2 and 3) We will not verify it. However if for whatever reason you need to verify the chain via a root cert(SAML or client certs for example) you can add the root cert as an intermediate cert.