3 Replies Latest reply: Mar 21, 2013 11:37 AM by mikyg
diverseft Level 1 Level 1 (0 points)

Hi all

 

I am having a really annoying problem with my work iPhones where I am trying to do LDAP queries over SSL to Server 2008 Active Directory to get contact information. The problem is that plain LDAP works fine using the iPhone LDAP client. The issue arrises when turning on SSL. I have ensured that my Active Directory server can receive LDAP SSL requests and it definitly works fine (self-signed certificate). As soon as I turn SSL on, the connection fails. I have seen multiple threads on this issue without any resoultion that I can find:

 

https://discussions.apple.com/thread/2812226?start=0&tstart=0

https://discussions.apple.com/thread/2559644?start=0&tstart=0

 

 

As a last resort, I have found an app called LDAPeople. I have tested this with LDAP SSL and this works no problem so it is definitly a problem with the native iPhone LDAP tool. Can anyone shed any light on this. I believe it might be something to do with self-signed certificates but not 100% sure. Has anyone managed to get around this problem at all or can give me any advice?

 

Many Thanks

 

T


OS X Mountain Lion (10.8.2)
  • diverseft Level 1 Level 1 (0 points)

    For anyone who is interested, Apple didnt want to know about the problem and suggested it was a problem with my "server settings". I got bounced around departments a bit, didnt speak to anyone who even knew what LDAP meant. The issue got "escalated" to an engineer. They said it was not an IOS issue...........

  • diverseft Level 1 Level 1 (0 points)

    OK. Finally got this working. Here is what I did:

     

    1. IOS doesn’t support self-signed certificates so got a cert from GoDaddy

    2. Imported that into my CA

    3. Created a sub domain (ldaps.domain.co.uk) pointing to the public IP address of my server with Active Directory on it (DNS through webhosting).

    4. Opened up Port 389 on my firewall (for SLDAP IOS still uses port 389, not 636) and forwarded to my Active Directory server.

    5. On iPhones I used ldaps.domain.co.uk for the LDAP server location and turned on SSL. Also used domain\user for account.

    6. Setup search base.

    7. Used Wireshark to ensure packets are definitely encrypted.

     

    All works - Happy Day

  • mikyg Level 1 Level 1 (0 points)

    Hello,

     

    Sorry but what you say is wrong. I use a self signed certificate with my own CA and it works.

     

    Last summer (september/october), I worked on this topic, to get my iphone connect to my ldap server with encryption.

    Turning on the SSL option switched the connection to port 636/tcp.

    I used iOS 5

     

    Yesterday I decided to restart my ldap server (I'm a geek sorry, it's just a personal ldap server). And had hard time this morning debuging it. Tcpdump shown no sign of packets although, ldap connection without SSL worked. I was thinking it was a NAT problem but no.

    The flow goes to port 389/tcp in both case and use STARTTLS with SSL enabled. I have iOS 6.1.2

     

    So, to me, how ldap with ssl works depends on your firmware version. You probably expected the flow to arrive on port 636/tcp whereas it arrived on port 389/tcp and got dropped by your firewall.

     

    I always read (on my iphone) what are the new features before upgrading my iOS firmware version and I don't remember I've read they would change the ldap ssl behavior.

     

    The iPhone is even more confusing because it says something like "Use SSL" (I translate it from french).

    LDAP over SSL uses port 636/tcp so this was correct in iOS5, now that it's using port 389/tcp it should be written use TLS ! So it's Apple misleading the users in their configuration.

     

    Happy day =)