How Do I Verify an LDAP Server’s Certificate with a Custom Certificate Authority?
How Do I Verify an LDAP Server’s Certificate with a Custom Certificate Authority when Integrating AC-Hunter with LDAP/Active Directory?
To start, copy the public certificate of the custom certificate authority to the machine running AC-Hunter.
The certificate authority file must be formatted as a .pem file or a .cer file using base 64 encoding.
The path to the certificate authority must be made available to the ‘achunter_auth’ Docker container. In order to do this, two files must be edited:
First, in ‘/etc/AC-Hunter/config.yaml’, the ‘CAPath’ field under ‘Authorization>Providers>LDAP>TLS’ must be set to the path where the certificate will reside within the Docker container.
‘usr/lib/ssl/certs/’ is recommended, though any valid, unrestricted path will work.
Ex:
Authorization: Providers: LDAP: - Name: ... Hostname: ... Port: 636 TLS: Enabled: true VerifyCertificate: true CAPath: /usr/lib/ssl/certs/achunter.pem
Second, a bind mount must also be added in ‘/opt/AC-Hunter/docker/auth.yml’.
The path given for the “target” of the bind mount must match the entry for ‘CAPath’ in ‘/etc/AC-Hunter/config.yaml’. Under the “volumes” section, add a new entry:
type: bind source: /path/to/certificate/on/host target: /usr/lib/ssl/certs/achunter.pem read_only: true
After editing these files, run:
hunt up -d --force-recreate
Warning: ‘/opt/AC-Hunter/docker/auth.yaml’ is overwritten on each upgrade. This file will need to be updated with the new bind mount after each upgrade of AC-Hunter.
Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=4571