?? ?????-???? ?????????? ?????????? ?? LDAP ?? SSL ????? ???? ?? ??? ???? ????

??????? ??????????? ?????? ????????? (LDAP) ?? ????? ?? ????? ?? ?????? ?????????? ?? ??? ????? ???? ???? ??? ???????? ??? ??, LDAP ???????? ????????? ???????? ??? ?? ?? ???? ??? ?? LDAP ???????? ?????? ?? ???????? ???????? ????? ???? (SSL) ?? ????? ???? / ???????????? ???? ??????? (TLS) ?? ?????? ?? ????? ?? ???? ??? LDAP ?? SSL (LDAPS) ?? ?????? Microsoft ?????????? ?????????? (CA) ?? ?? ??? - Microsoft CA ?? ???? ??? ????????????? ?? ?????? ?? ??? ?? ???????? ??? ?????????? ??????? ?? ??? ???

LDAPS ???????? ???? ?? ??? ?????????? ??????? ???? ??? ????? ?????? ???? ?? ???? ????? ???????? ?? ??????? ???? ?? ??? ?????, ?? ???????? ??? ?? ???????, LDAP ?? ??????? ?????? ??????? ?? ??? SSL ??????? ???? ?? ??? LDAP ???? ?????? ???? ???

LDAPS ?????? ???? ?? ??? ??????????

LDAPS ?? ????? ???? ?? ??? ???? ??? ?????????? ?? ????? ?????????? ???? ???? ??????? ???? ?????? ??:

• ??????? ???????? ??? LDAPS ?????? ???? ?? ????? ????????? ?????????? ?????? (????????? ????? ???????? ?? MY ?????????? ?????? ?? ??? ???)?
• ?????? ???? ?? ??? ???? ??? ???? ????? ?????? ?? ??????? ???????? ??? ????? ?? ?? ?? ?????? ???? ?? ??? ??? ?? ??????? ??? ???? ????? ?????? ????????? ???? ????? ??????? ????? ???
• ????????? ????? ????? ????????? (?? ????? OID ?? ??? ???) ????? ??????? (1.3.6.1.5.5.7.3.1) ???????? ?????????? ?? ????? ????? ???
• ????? ???????? (?????? ?? ???, DC01.DOMAIN.COM) ?? ?????? ?????????? ????? ?? ???? ??? ??????????? ??? ????? ??????? ??? ?? ?? ??? ????? ???? ?????? ??:
  • ??????? ??? (CN) ???? ?????? ????
  • ???? ???????? ??? ??? DNS ????????? ??????????
• ?????? ????? ???????? ?? LDAPS ??????? ??????? ?? ?? ???? CA ?????????? ???? ???? ??? ??? ??????? CA ??? ?? ??? ?? ??????? ???? ?? ??? ??????? ?? ????? ?? ???????? ???? ?? ?????? ??????? ?? ????????? CA chains.
• ????? ????? ???? ?? ??? ?? Schannel ???????????????? ?????? ????????? (CSP) ?? ????? ???? ?????? ???

?????? ???? ?? ??????? ?? ??????? ???? ?? ???? ??? ???? ??????? ?? ??? Windows 2000 ????? ??? ??? "???? ?? ??????? ?? ??????? ???? ?? ??? root ?????????? ??????????" ???? ?? ??????

?????????? ?????? ??? ??? ??

?????? ?? ????????? ????? PKCS # 10 ?????? ????? ?? ?? ???? ?? SSL ?????????? ?????? ??????? ?? ??? ????? ???? ?? ????? ?????? ??????? ?? ??? Certreq ?? ????? ?????

???:?? ???? ??? ???????? ??????? Certreq 2003 ??????? ?? ?????? ???? ???? Windows 2000 ????? ?? ?? ???? ??? ??? ????? ?? ????? ????, ?? ??? certreq.exe ?? certcli.dll ?? ????????? ???? Windows 2003 ????? ?? Windows 2000 ????? ???? ??????? ?????????? ????

Certreq.exe ???? ????? ???????? ?? ??? ??????? X.509 ?????????? ?????? ????? ???? ?? ??? ??? ??????? ????? ?? ??? ?????? ??? ??? ???? ??? ?? ???? ???? ??????? ASCII ?? ????? ?? ??? ??????? ???? ????? ?????? ?? ???? ?? ?????? ?? ??? ???. inf ????? ?? ??? ??? ????? ???????

???? ????? ?? ?????? ?? ??? ??????? ?????????? LDAPS, ?? ??? ??????? ?? ?? ?? ????? ?? ???? ????:

1. . Inf ????? ?????? ????? ??? ?? ??????. inf ????? ?? ?????????? ?????? ????? ?? ??? ????? ???? ?? ???? ???
   ;-----------------request.inf-----------------
   
   [version]
   
   ????????? "$ Windows NT $ =
   
   [NewRequest]
   
   ???? = "CN = <dc fqdn="">"; FQDN DC ?? ??? ?????</dc>
   KeySpec = 1
   KeyLength = 1024
   ???? ?? ???? ?? ???? ??? 1024, 2048, 4096, 8192 ?? 16384?
   ????? ???? ???? ???? ???????? ???, ????? ???? ???
   ; ??????????? ?? ?? ???? ?????????
   ??????? ???? ????? = TRUE
   MachineKeySet = TRUE
   SMIME = false
   PrivateKeyArchive = FALSE
   UserProtected = FALSE
   UseExistingKeySet = FALSE
   ProviderName "Microsoft RSA SChannel ??????????????? ???????" =
   ProviderType = 12
   RequestType = PKCS10
   KeyUsage = 0xa0
   
   [EnhancedKeyUsageExtension]
   
   OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
   
   ;-----------------------------------------------
   ????? ?? ????? ????? ?? ?? ??? ??? ?? ??? ????? Request.inf ??? ??????? . ?????? ??? ????? ???????? ?? ???? ??? ??????????? DNS ??? ?????? ???? .
   
   ???:??? ????? - ???? ?????????? ?????????? ???? ???????? ??? ???????? ??????? ?? ???????? ?? . ??? ??????? ??? ? - ??? ??? ( E ) , ????? ???? ( OU ) , ????? ( O ) , locality ?? ??? ( L ) , ?????? ?? ?????? ( S ) , ?? ??? ?? ??????? ( C ) ????? ?? . ?? ?? ???? ??? ( CN ) Request.inf ???? ??? ?? ??????? ???? ?? ???? ??? . ?????? ?? ??? : Subject="E=admin@contoso.com , CN = <dc fqdn=""> , OU = ????? , O Contoso , L = Redmond , S = ?????????? , C = = ?? . ?? . . " </dc>
2. ?????? ???? ????? . ??? ???? ?? ??? , ????? ????????? ?? ????? ???? ???? ???? , ?? ???? ??? ENTER ????? :
   certreq - ?? request.inf request.req
   ??? ?? ????? Request.req ???? ?? ???? ?? . ?? ?????? base64 - ??????? ????? ?? .
3. CA ???? ?? ??? ?????? ????? ???? . ?? Microsoft CA ?? ????? - ???? CA ?? ??? ?????? ????? ?? ???? ??? .
4. ??????? ?????????? ???? ???? ??? ?? , ?? ?? ?????????? ?????? ????? ?? ??? ??????? ??? Certnew.cer ?? ??? ??? ?????? . ??? ???? ?? ???, ????? ????? ?? ???? ????::
   1. Certnew.cer ???? ?? ?? ????? ????? .
   2. ?????? ??? ????? ????? , ???????? ?????? ???? ?? ???? ??? ??????? ?? ???? ??? ????? ?? ?????? .
   ???:????? ?? ?????? ???? base64 ?? ??? ??? ??????? ???? ????? . ??? ????? - ???? CAs ???? issued ?????? ???? requestor ? - ??? ????? ??? base64 - ???????? ??? ?? ??? ??? .
5. issued ?????? ???? ??????? ???? . ??? ???? ?? ??? , ????? ????????? ?? ????? ???? ???? ???? , ?? ???? ??? ENTER ????? :
   certreq - certnew.cer ??????? ????
6. ???????? ???? ?? ????????? ???????? ???????? ?? ??? ?????????? ??????? ?? . ??? ???? ?? ???, ????? ????? ?? ???? ????::
   1. Microsoft ??????? ????? ( MMC ) ?? ??????? ???? .
   2. ?????? ???? ????? - ?? ?? ??????? ???????? ?? ?????????? ?? ?????? ???? ?? ?? ?????? .
   3. ??????? ?????????? ???? (??????? ????????), ??????? ?????????????, ?? ???? ??? ??????? ?????????? ????.
   ??? ?????? ???? ?? ????????? ?????? ??? ????? ???? ????? . ??????????????? ???????? ????? ??? , ?????? ???????? ????????? ???? ???? ??????? ??????????. ???? ??? ??????????? ????? ??? ???????? ?? ?? ??? ?? ?????????? ?? ???? ???? ??? ?? .
7. ????? ???????? ?? ???????? ?????

?????????? ?????? ????? ?? ???? ??? ???? ??????? ?? ??? ????? ????? ?????????? ??????? ?? ??????? ????? ???? ????? . ?? ????? ???? ?? ????? ?? ??? ????? Microsoft ??? ???? ?? ????:

???? LDAPS ??????? ?? ??????? ?? ??? ??

?? ??? ?????????? ??????? ?? , ?? ???????? ???? ?? LDAPS ????? ???? ??? ?? ?? ??? ????? ????? ?? ???? ???? :

1. ?????? ?????????? ?????????? ????? ??????? ???? ( Ldp.exe ) .
   
   ???:?? ????????? ??? Windows 2000 ?????? ????? ??????? ???? ??? ?? .
2. ????? ??????????????? ??,??????..
3. ????? ?? ?????? ???? ????? ??? ?? ????? ???????? ?? ??? ???? ???? .
4. ??????:636?? ????? ??????? ?? ??? ??? .
5. ????? ????,OK.
   
   RootDSE ??????? ???? ??? ??? , ?? ??? ??????? ????? ??????? ???? ????? .

??????? ????????

• Start TLS extended request
  LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged. Windows 2000 does not support the Start TLS extended-request functionality.
• Multiple SSL certificates
  Schannel, the Microsoft SSL provider, selects the first valid certificate that it finds in the local computer store. If there are multiple valid certificates available in the local computer store, Schannel may not select the correct certificate.
• Pre-SP3 SSL certificate caching issue
  If an existing LDAPS certificate is replaced with another certificate, either through a renewal process or because the issuing CA has changed, the server must be restarted for Schannel to use the new certificate. The SSL provider in Windows 2000 caches the LDAPS certificate and does not detect the change until the domain controller is restarted. This has been corrected in Service Pack 3 for Windows 2000.

Windows Server 2008 improvements

The original recommendation in this article was to put certificates in the Local Machine's Personal store. Although this option is supported, you can also put certificates in the NTDS Service's Personal certificate store on Windows Server 2008 and on later versions of Active Directory Domain Services (AD DS). For more information about how to add the certificate to the NTDS service's Personal certificate store, visit the following Microsoft TechNet Web site:AD DS preferentially ????? ?? ?????? ??? ?????????? ?????? ?? ??????? ???? ??? ?? ??? ????? ?? AD DS ?? ????? ??? ??? ?? ????? ???? ?? ??? ?????????? ?? ????? ???? ?? ??? ???????? ???? ?? ??? ???? ??? ?? ??????? ?? ???? ?? ?? ?? ???? ?????? ???? ?? ??????? ???? ????????? ?????? ??? ??, ?? ?? ???-?? ?? ????? predict ???? ?? ??? ???? ?? ???? ???

?? ??? ?????? ???? ???? ?????????? ?????? ??? ????? ?? ?? ?? ?? ???? ??? ?????????? SSL ?????? ?? ???? AD DS ???????? ???? ?? ????? ???????? ?? ???????? ???? ?? ??? ??? triggers AD DS ?? ????

??? ??? rootDse ???????? ?? ????? ???reviewServerCertificate???????? ??? ?? AD DS ???????? ???? ?? ????? ???????? ?? ???????? ???? ?? ??? ??? ?? ???? ???? SSL ?????? ???? ?? ?????? ???? ?? ??? AD DS ?????? ???? ?? ??? ?? ???? ??? ????? ???? ?? ?????

???, ??? ?? Windows Server 2008 ?? ?????? ??????? ????? ???????? ???? ?????? ??? ?? ?? ???? ?????? ???? ????? ??, ?? ?? ???????? ??? ?? ????? ?????????? ?? ????? ??? ???? ??????? ?????? ?????? ??? furthest ??? ???, ??? ???? ??????? ?????? ???? ?? ???? ??? ???? ??????? ?????? approaching ??, ?? ?? ??????????? ?????????? ?????? ??? ??? ?? ???? ???, ?? AD DS ???? ????? ???? ?? ??? switches ???????? ??? ???

??? ?? 2008 ?????? ?????????? ??????? ??????????? ???? (AD LDS) ?? ??? ?? Windows Server 2008 AD DS ?? ??? ?????? AD LDS, ?? ??? ???? ???? ?? ??? ????????? ?????????? ?????? ??? ?????????? NTDS ???? ?? ??? ?? ???? AD LDS ??????? ?????