• If you want to encrypt the communication between SSB and the LDAP server, in Encryption, select the SSL/TLS or the STARTTLS option and complete the following steps:

    NOTE:

    TLS-encrypted connection to Microsoft Active Directory is supported only on Windows 2003 Server and newer platforms. Windows 2000 Server is not supported.

    • If you want SSB to verify the certificate of the server, leave Only accept certificates authenticated by the specified CA certificate selected and click the icon in the CA X.509 certificate field. A popup window is displayed.

      Click Browse, select the certificate of the Certificate Authority (CA) that issued the certificate of the LDAP server, then click Upload. Alternatively, you can paste the certificate into the Copy-paste field and click Set.

      SSB will use this CA certificate to verify the certificate of the server, and reject the connections if the verification fails.

      Caution:

      If you will use a TLS-encrypted with certificate verification to connect to the LDAP server, use the full domain name (for example ldap.example.com) in the Server Address field, otherwise the certificate verification might fail. The name of the LDAP server must appear in the Common Name of the certificate.

    • If the LDAP server requires mutual authentication, that is, it expects a certificate from SSB, enable Authenticate as client. Generate and sign a certificate for SSB, then click in the Client X.509 certificate field to upload the certificate. After that, click in the Client key field and upload the private key corresponding to the certificate.

    SSB accepts private keys in PEM (RSA and DSA), PUTTY, and SSHCOM/Tectia format. Password-protected private keys are also supported.

    One Identity recommends:

    • Using 2048-bit RSA keys (or stronger).

    • Using the SHA-256 hash algorithm (or stronger) when creating the public key fingerprint.