Step-By-Step: Enabling the Lightweight Directory Access Protocol on an Azure AD Managed Domain


In Active Directory environment, the Lightweight Directory Access Protocol (LDAP) is responsible for reading and writing data from AD. By default, the LDAP traffic is transmitted in and unsecure format. You can secured this by transmitting based on SSL. When you have a hybrid or cloud only setup this is important. The idea behind this post is to demonstrate how to enable a secure LDAP on Azure AD managed domain.

There is few prerequisite required to perform this task.

1)    Azure AD Domain Service – Azure AD domain service must be enabled and configured with all prerequisite. If you need any help over please refer to my last few posts which explain how to configure.
2)    SSL Certificate – It is need to have valid SSL certificate and it need to be from valid certificate authority such as public certificate authority, enterprise certificate authority. Also you can still use self-sign SSL certificate.

In my demo,
1)    I have already configured a Azure AD managed domain and running with active subscription

sldap1

2)    I got an Azure VM connected to Azure managed domain and I will be using it to demonstrate to enable Secure LDAP.
3)    I am going to use self-signed certificate to create the secure LDAP

Create self-signed certificate

1)    Log in to domain joined server, or PC and open windows power-shell session as administrator.
2)    Execute following

$validtill=Get-Date
New-SelfSignedCertificate -Subject *.rebeladmin.onmicrosoft.com -NotAfter $validtill.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment -Type SSLServerAuthentication -DnsName *.rebeladmin.onmicrosoft.com

In here you can replace rebeladmin.onmicrosoft.com with your managed domain name.

This will generate the self-sign certificate.

sldap2

Export the SSL Certificate

Now we have the certificate, but we need to export it to use to enable secure LDAP.
1)    Log in to the PC or Server which generated certificate as administrator
2)    Go to run > mmc

sldap3

3)    File > Add/remove Snap-in

sldap4

4)    Select Certificates and click on button Add

sldap5

5)    Then select the Computer Account and click next

sldap6

6)    Select local computer and click on finish

sldap7

7)    Click on OK to open the certificate mmc

sldap8

8)    Then in console go to Personal > Certificates and you can see the new self-signed certificate we just created in previous step

sldap9

9)    Right click on the certificate and click on All tasks > export

sldap10

10)    Then its start the certificate export wizard, click on next to start

sldap11

11)    In this window select option “Yes, export the private key” and click on next
12)    Leave the .pfx option selected and click next

sldap12

13)    In next window define a password and click on next

sldap13

14)    Then define the location to save the file and click on next

sldap14

15)    Click on finish to complete the export process

sldap15

Enable Secure LDAP

Now we got the SSL exported and ready. Now it’s time to enable the secure LDAP.
1)    Log in to the azure portal and load the Azure Domain Services configuration page for your relevant directory

sldap16

2)    Then to the domain service section and click on “configure certificate” button

sldap17

3)    Then brows for the .pfx file we just exported and provide the password, then click ok to proceed

sldap18

4)    After few minutes we can see the secure LDAP is enabled

sldap19

5)    The next step is to enable the secure LDAP connection over the internet for your managed domain. For that click on the “Yes” for the option “Enable secure LDAP access over the internet” and the click save

sldap20

sldap21

6)    After few minute we can see the feature is enabled and also displaying the public ip address which can use on this.

sldap22

7)    If you wish to use secure ldap over the internet you need to create DNS entry in your dns provider and create A record to point domain to the public ip address its given.

Comments (4)

  1. tony says:

    Preface to the question we are an 0365/azure entity with a custom domain with ad sync.

    Quick question if you don’t mind since in your case you have a onmicrosoft domain your dns A record points to rebeladmin.onmicrosoft.com in this case the ip is 23.96.124.68 and rebeladmin.onmicrosoft.com is your authenticating domain but in our case we have a custom domain lets say its called xyz.org but in our case that has a an A record pointing to something else. Hopefully we can as an example use ldaps.xyz.org with the A record pointing to the appropriate IP. My gut feeling is that is not allowed and that it must be xyz.org with no subdomain since that’s our authenticating domain name.

    Please tell me I’m completely wrong about this!!
    thanks

    1. Ivan says:

      You can add DNS record for ldaps.xyz.org and it will work as long as your certificate was generated for *.xyz.org

  2. Leif Lagebrand says:

    It I want to restrict my LDAP over the Internet to just a few IP addresses, what the best way to do it? Some sort of whitelist.

    1. Ivan says:

      I was wondering over the same question, but so far no answer I have found.

Skip to main content