Publishing to Active Directory 

When configuring Active Directory LDAP, the Bind DN for the users is usually:

cn=user,cn=Users,dc=domain-component1,dc=domain-component2
CODE

For example for the domain primekey.com:

cn=User Usersson,cn=Users,dc=primekey,dc=com
CODE

If your DN and your base DN are like the following examples:

DN

cn=Ejbca1,0=MyOrg,c=SE
CODE

Base DN

DC=Security,DC=Software,DC=MyOrg
CODE

Then the publisher for AD should have a base DN like the following example: 

cn=Users,dc=Security,dc=Software,dc=MyOrg
CODE

For Login DN, use the full LDAP name, for example: 

CN=Administrator,CN=Users,dc=primekey,dc=se
CODE

To connect to AD though SSL, issue an LDAP SSL P12 to the domain controller, according to MS Article ID 321051.

The same certificate is used for both the AD and global catalogue (GC). Remember to add the CA certificate to the machine that stores trusted root certificates.

To publish a CRL to Active Directory, use a Base DN similar to:

CN=somename,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=somemachine,DC=primekey,DC=se
BASH

The CRL Distribution Point in the certificate should point to:

ldap:///CN=Test%20MS%20SC%20Logon%20CA%20v1,CN=somename,CN=CDP,CN=Public%20Key%20Services,CN=Services,
CN=Configuration,DC=somemachine,DC=primekey,DC=se?certificateRevocationList?base?objectClass=cRLDistributionPoint
CODE

Using LDAPs

To use LDAPs (LDAP over TLS) when publishing to AD, do the following:

  1. Configure your publisher in EJBCA to use TLS by checking the TLS Connection option, changing the port to port 636.

  2. Since using the LDAP library, the CA certificate of the (root) CA used to sign the AD server certificate must be present in the java certificate trust store ($JAVA_HOME/jre/lib/security/cacerts).
    Add a CA certificate to the java trust store using the following command:
    keytool -import -trustcacert -alias MyCA -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file myca.der
    CODE