LDAPS is LDAP over TLS / SSL. It establishes a secure connection before any communication with the ldap server is performed, and it does not provide any mechanism to fallback to an unsecure connection, like startTLS does, which has been used to perform MITM attacks. It performs server authentication, and protects communication from eavesdropping and tampering with encryption.
Since flexVDI manager 3.1.4 LDAPS is supported to perform user authentication.
flexVDI manager is the piece of software that performs user authentication against a Directory in flexVDI. If you are using a LDAPS (ldap protocol over TLS) connection, flexVDI Manager will refuse to connect to the server if it does not trust the server.
Certificates trusted by flexVDI manager
flexVDI Manager trusts the default CA certificates trusted by JVM programs, stored in /etc/pki/java/cacerts. If you have bought a certificate for your ldap server, and it is signed by one of the CAs in that file, it will be automatically trusted by flexVDI Manager.
Usually organizations generate its own certificates for its internal servers, and install their CA or server certificates in their systems. /etc/pki/java/cacerts will be overwritten when updating flexVDI Manager, so it is not a good place to store additional certificates.
flexVDI Manager will also trust the certificates stored in a PKCS12 file in /flexvdi/external/manager/trustedCerts.p12. This file will persist software updates, so users can store here their CA certificate, or their ldap server certificate here. This file follows the PKCS12 standard format for storing data.
Managing trusted certificates in flexVDI manager
The trustedCerts.p12 store is intially empty, without certificates in it. flexVDI Manager comes with the command "keytool" installed, that will allow you to store your certificates in the trustedCerts.p12 file.
First you can copy your certificate to flexVDI Manager with:
$ scp my_ldap.crt root@${FLEXVDI_MANAGER}:/root # Use the same password you use for admin in flexVDI Dashboard
You can add one certificate (your ldap server certificate, or the certificate of the CA that signed it) to trustedCerts.p12 with:
[root@manager manager]# keytool -keystore /flexvdi/external/manager/trustedCerts.p12 -storepass flexvdi -importcert -file my_ldap.crt -alias myldap ... # You will be asked: Trust this certificate? [no]: yes # Answer yes, and the certificate will be added to the PKCS12 trustedCerts.p12
Now you can see the contents with:
[root@manager manager]# keytool -keystore /flexvdi/external/manager/trustedCerts.p12 -storepass flexvdi -list
Then restart your flexvdi-manager to apply the changes with:
[root@manager manager]# systemctl restart flexvdi-manager
It is important not to change the store password, which is set to flexvdi, as flexVDI manager will use it to open trustedCerts.p12.