Return
-
Title
When using a Microsoft Active Directory asset is LDAP or LDAPS used for communication? -
Description
When using a Microsoft Active Directory Asset is LDAP or LDAPS used for Domain Controller and Global Catalog communication? -
Resolution
From SPP version 6.11 LDAPS protocol is supported for an Active Directory System under Assets. To enable this ensure AD is configured to serve LDAPS requests, and then tick the "Use SSL Encryption" on the General tab.
If using LDAP then Safeguard follows the standard behavior of Windows / Microsoft protocols and attempts to use the highest level of security that the connection will allow. Safeguard connects via LDAP on ports TCP/389 and TCP/3268. These connections use Kerberos / GSS-API and SASL to authenticate and encrypt LDAP communications. This is the same mechanism used by Windows desktop AD logins. Unsecured LDAP is not used.Safeguard will use LDAP searches for items such as:- To check the Active Directory ‘Directories” connection is valid and online.- Managing Discovery tasks on Directories (importing users from a customer specified group(s) for example)- When an Active Directory based logon occurs to Safeguard (web or client).- To locate domain controller(s) to perform any type authentication.Note: Active Directory provider used in Identity and authentication does not yet support LDAPS. Enhancement request # 298560 | 303419 was submitted to add LDAPS support for Active Directory for the purpose of Identity and Authentication in a future release of SPP. -
Change Request
298560 | 303419