Authentication and connection to a domain controller

Authentication and connection to a domain controller when polling a domain

When polling a domain controller by using a Linux distribution point, the distribution point identifies the connection protocol to establish the initial connection to the domain controller. This protocol is used for all future connections to the domain controller. When establishing the initial connection to the domain controller, you can change connection options by using the Network Agent flags KLNAG_LDAP_TLS_REQCERT and KLNAG_LDAP_SSL_CACERT. You can configure the Network Agent flags by using klscflag, as described in this article.

The initial connection to a domain controller proceeds as follows:

  1. A Linux distribution point attempts to connect to the domain controller over LDAPS.

    By default, certificate verification is not required. Set the KLNAG_LDAP_TLS_REQCERT flag to 1 to enforce certificate verification.

    Possible values of the KLNAG_LDAP_TLS_REQCERT flag:

    • 0—The certificate is requested, but if it is not provided or the certificate verification failed, then the TLS connection is still considered successfully created (default value).
    • 1—Strict verification of the LDAP server certificate is required.

    By default, when the KLNAG_LDAP_SSL_CACERT flag is not specified, the OS-dependent path to the certificate authority (CA) is used to access the certificate chain. Use the KLNAG_LDAP_SSL_CACERT flag to specify a custom path.

  2. If the LDAPS connection fails, a Linux distribution point attempts to connect to the domain controller over a non-encrypted TCP connection by using SASL (DIGEST-MD5).

Configuring flags

You can use the klscflag utility to configure flags.

On a Linux distribution point, run the command line, and then change your current directory to the directory with the klscflag utility. By default, on the Linux distribution point, the klscflag utility is located in /opt/kaspersky/ksc64/sbin.

For example, the following command enforces certificate verification:

klscflag -fset -pv klnagent -n KLNAG_LDAP_TLS_REQCERT -t d -v 1

Page top