Goto Top

Active Directory LDAPS certificate selection (deep dive)

The LDAPS certificate is used by the LDAP server to secure communications using TLS over TCP/636, as an alternative to LDAP over TCP/389 that uses SPNEGO-based security. Enabling and enforcing LDAPS is a common security hardening task in Windows Active Directory environments today. Using Let's Encrypt certificates is popular for LDAPS because it is much simpler than using Active Directory Certificate Services (AD CS) if you don't already have it deployed.

In theory, it all looks great, until you realize that not only you can't explicitly select the LDAPS certificate to use, but there are no logs to enable, and no way to diagnose the problem. The next best thing is a detailed explanation of the internal process used to validate and select the final LDAPS certificate which is used on TCP port 636, so you can go over the list until you find what's wrong.

Read more


Content-Key: 2275738182

Url: https://administrator.de/contentid/2275738182

Printed on: July 16, 2024 at 19:07 o'clock