AD Home Lab LDAPS Setup for SailPoint IDN TLS Connection

Welcome 2020 (Or not)!!! 

Really this year needs to end. Period. Hope everyone is keeping safe and indoors as much as possible.

Been a while I haven’t written something.

Anyways I had a local VM for Active Directory running for my home lab for SailPoint IDN. Now I wanted to setup TLS connection for it. So I thought easy

1. Create a csr request in AD
2. Generate a crt
3. Import the cert in AD
4. Test Connection via ldp or IDN.

I didn’t want to go through installing a AD CA role for this one process. So I thought I will use OpenSSL which was installed on my Mac. There are many excellent guides on how to enable LDAPS in AD by generating a self signed certificate. By far the easiest I found was this one. 

But what I found was that the cert being generated didn’t contain the SAN. Found many such issues linked online with openssl command. This is how I fixed it.

Followed the guide till where v3ext.txt is being generated. But used my own as below

The IP Address and additional DNS is just an example. My domain name in example is “abc.local” and DC name is “dc1.abc.local”. You can add additional DNS entries as per your requirements

And modified the command to execute this file

Rest is all the same in guide. You will get the certificate generated with SAN and imported into your DC. LDAPS will work and IDN and IQService will connect via TLS. And forget about it for 10 years 😛 

Aah the green box of approval from IDN!!! Gods are happy & everything is good in world again!!! 

Hope it helps someone setup their own AD lab at home for AD LDAPS TLS connection without a CA server. Of course this will not be a problem in an enterprise deployment.

References

• Enable LDAP over SSL for AD Servers
• x509 v3 Config Options
• SailPoint IDN IQService TLS Requirements
• SailPoint IDN Virtual Appliance TLS Configuration