Enable LDAP over SSL for AD

By default, Lightweight Directory Access Protocol (LDAP) traffic between the AD and the Xshield instance is unsecured. To secure this traffic, you can enable Secure Socket Layer (SSL) over LDAP, also known as LDAPS. By default, LDAPS is enabled over port 636. 

Self-signed Kerberos Authentication certificate

This example uses a self-signed Kerberos Authentication certificate.

Enable LDAPS for the AD

  1. Start Ldp.exe and go to Options > Connection Options.

  2. Set LDAP_OPT_SSL to 1.

Create and issue a new certificate

  1. Go to the Run box and enter certtmpl.msc.

  2. Double-click Kerberos Authentication, go to Properties, and select Publish Certificate in Active Directory.

  3. Go to Certificates > Personal > Certificates.

  4. Right-click Certificates and click Request New Certificate > Next.

  5. Select Kerberos Authentication and click Enroll.

Export the certificate

  1. Select the Kerberos certificate and click Copy to File.

  2. Select Base-64 encoded X.509(.CER).

  3. Enter a name for the certificate and save the file.

  4. Open the file with a text editor and save the text file to use this during the AD integration with LDAP over SSL enabled.

Microsoft Certification Authority (CA) or a non-Microsoft CA

You can also install a certificate either from a Microsoft CA or a non-Microsoft CA. Use Certreq.exe to create an X.509 certificate request.

Verify LDAPS connectivity on the AD

  1. Start Ldp.exe and click Connection > Connect.

  2. Enter the FDQN of the AD and the LDAPS port number.

  3. Click OK.

    Upon successful connectivity, you will see the rootDSE of the AD.

Verify LDAPS connectivity to the AD

You may need administrative privileges on the client asset. 

  • Go to the Command Prompt and run the PortQry -n <FQDN of the AD> -e 636.

    Replace 636 with a custom port number that you may have used for LDAPS.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.