How Do I Verify an LDAP Server’s Certificate with a Custom Certificate Authority?

April 6, 2022
F
How Do I Verify an LDAP Server’s Certificate with a Custom Certificate Authority?

How Do I Verify an LDAP Server’s Certificate with a Custom Certificate Authority when Integrating AC-Hunter with LDAP/Active Directory?

To start, copy the public certificate of the custom certificate authority to the machine running AC-Hunter.

The certificate authority file must be formatted as a .pem file or a .cer file using base 64 encoding.

The path to the certificate authority must be made available to the ‘achunter_auth’ Docker container. In order to do this, two files must be edited:

 

First, in ‘/etc/AC-Hunter/config.yaml’, the ‘CAPath’ field under ‘Authorization>Providers>LDAP>TLS’ must be set to the path where the certificate will reside within the Docker container.

‘usr/lib/ssl/certs/’ is recommended, though any valid, unrestricted path will work.

Ex:

Authorization:
  Providers:
    LDAP:
    - Name: ...
      Hostname: ...
      Port: 636
      TLS:
        Enabled: true
        VerifyCertificate: true
        CAPath: /usr/lib/ssl/certs/achunter.pem

 

Second, a bind mount must also be added in ‘/opt/AC-Hunter/docker/auth.yml’.

The path given for the “target” of the bind mount must match the entry for ‘CAPath’ in ‘/etc/AC-Hunter/config.yaml’. Under the “volumes” section, add a new entry:

type: bind
source: /path/to/certificate/on/host
target: /usr/lib/ssl/certs/achunter.pem
read_only: true

 

After editing these files, run:

hunt up -d --force-recreate

 

Warning: ‘/opt/AC-Hunter/docker/auth.yaml’ is overwritten on each upgrade. This file will need to be updated with the new bind mount after each upgrade of AC-Hunter.

 

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=4571

Category: Server Configurations & Functionality
Tags: