5.4.2. LDAPS Configuration

Note

This section details the configuration options for the encrypted LDAPS protocol selection. If your connection should be unencrypted, refer to Section 5.4.1 - LDAP Configuration for configuration information.

Below is a list of each LDAP Settings field, detailing what information should be entered.

LDAPS Settings Example

Fig. 5.3 LDAPS Settings Example

Use LDAP User Group Settings

Optional, refer to Section 8.2.1 - Enable LDAP Group Mapping

Protocol
LDAPS
Server Hostname

This is the fully qualified domain name of the LDAP server or domain controller the recorder will use to authenticate users to.

Example: dc1.contoso.net

Server Port Number

This is the LDAPS port that the recorder will use to communicate with the LDAP server.

If all recorder users exist in the same domain as the recorder’s bind account, the default LDAPS port would be used. If users exist in the parent and child domains, the LDAPS Global Catalog (GC) port would be used.

Table 5.3 LDAPS Server Port Numbers

Protocol

Port

LDAP

TCP

636

LDAP GC

TCP

3269

Base DN for User Search

This field should contain the root path containing all recorder users. It should be intered using LDAP syntax.

Example: OU=Users,OU=HQ,DC=contoso,DC=net

Important

The recorder’s LDAP Bind user should also be located within this path.

Table 5.4 LDAPS DIT Path Syntax

Key

Description

DC

Domain Component

CN

Common Name

OU

Organizational Unit

LDAP Bind Username

This is the username of the service account created for the recorder. This should be the username only.

Example: NLRecorder

LDAP Bind Password

This is the password of the service account created for the recorder.

LDAP Bind Realm

This is the NetBIOS domain name of the service account created for the recorder. This is commonly the first domain component (DC) of the Base DN when read from left to right.

SSL Validation
Ignore

This is the default setting when enabling LDAPS. When the recorder makes a connection to the directory service, it will not request or validate the server’s TLS/SSL certificate. This option should not be used in a production environment!

Attempt

When the recorder makes a connection to the directory service, it will request its TLS/SSL certificate. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated.

Require

When the recorder makes a connection to the directory service, it will request its TLS/SSL certificate. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated. This is the recommended option for production environments.

Fetch CA Certificate

When using LDAPS, the recorder must trust the CA certificate that signed the LDAP server’s TLS certificate. This is especially important when using the recommend Require option.

Display CA Certificate

This button can be used to validate that the correct issuing CA certificate was obtained.

LDAPS Server CA Certificate Trust

Fig. 5.4 LDAPS Server CA Certificate Trust