How to connect to Amazon Simple AD using ldaps?

Question

I cannot seem to connect to Amazon Simple AD using an ldaps:// url (with the default port number 636). I am getting "Connection refused".

It works with the non-encrypted ldap:// (port 389).

Is there something I need to enable on the AD or VPC or Security Groups settings?

---

Motivation: I suppose plain LDAP may be secure enough, as it is going via VPC anyway, but the software attached to it (WSO2 Identity Server) seems to insist on LDAPS:

WARN {org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager} - Connection to the Active Directory is not secure. Passowrd involved operations such as update credentials and adduser operations will fail

Answer 1

It seems like Amazon does not enable ldaps at all, these are the only ports mentioned which have to be open and ldap over ssl is not amongst them (neither for the normal or the global catalog):

• ...
• TCP/UDP 389 - LDAP
• TCP 3268 - Global Catalog
• ...

(values taken from the admin guide)

In a comment published on a Amazon blog it is stated that

LDAPs is not currently supported with AWS Directory Service at this time.

Answer 2

I have been able to work around the issue by launching a local stunnel that accepts LDAPS and just pipes it out again as LDAP to Simple AD.

Configuration looks something like this

# Service-level configuration
[ldap]
accept  = 8636
connect = SimpleAD_IP:389

Answer 3

As an update LDAPS seems to work now out of the box with Simple AD, Enterprise Microsoft AD does not have LDAPS out of the box though

Answer 4

AWS expects you to use a proxy for SSL termination. You could use something like HAProxy. If you want to have it available to the public webs then you would use something like ELB with a cert. Here is the documentation:

https://aws.amazon.com/blogs/security/how-to-configure-an-ldaps-endpoint-for-simple-ad/