If you need to setup secure Lightweight Directory Access Protocal aka secure LDAP aka LDAPS, you are in the right place. We provide step by step instructions how to setup LDAPS.
Much better than the 100 other exact replicas of the install process where everyone installs AD LDS unnecessarily. Wish I would've found this video sooner.
So, you are saying is all you do to get the needed certs is to install the AD CA run the LDP connection tests and then reboot the server and it will automatically create the needed certs for any DCs you run the LDP tests on a then reboot?
My enterprise CA is disabled, and i continued with standalone , but after successful configuration i cant see anything under issued certificates even after restart. Also i am not able to connect through ldp.exe both for 389 and 636.
For security reason you don't want root CA's turned on all the time. You need DCs to be turned on so this is the issue. So far I haven't found anyone setup LDAPS without installing a root ca on a DC, makes me sad.
You can install a separate CA, in fact you should install a root CA and a subordinate CA, the thing is that there is no video for this, I am reading a book to do this safely.
@@jcmreno we had to setup FIPS so I created a root and intermmediate CA. CA should definitely not be on a domain controller. I used the PKI Guide from Matthew Burr great stuff.
Video very intuitive. If I want to restrict LDAP and allow my clients to only authenticate LDAPS would I need force that via my Domain Controller/Domain policies with the option just allow signing request? Is there additional steps beyond enabling signing request only?
Yes, configuring LDAPS (LDAP over SSL) and enforcing signing requests are good security measures. To restrict LDAP and allow only LDAPS, you'll typically need to follow these steps: Install and Configure an SSL Certificate: Obtain or install a valid SSL certificate on your Domain Controller. This is crucial for securing the LDAPS communication. Enable LDAPS on the Domain Controller: Open the "Active Directory Certificate Services" or use a third-party certificate to enable LDAPS. Ensure that the LDAPS port (default is 636) is open in your firewall. Modify Group Policy: Use Group Policy to enforce the use of LDAPS: Open the Group Policy Management Console (GPMC). Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies. In the right pane, double-click on "Certificate Services Client - Auto-Enrollment" and configure it to enable auto-enrollment. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Network Security. In "Domain Member: LDAP Client Signing Requirements," set it to "Require Signing." Configure LDAP Client Applications: Ensure that your LDAP client applications are configured to use LDAPS (port 636). Update any scripts or applications that use plain LDAP to use LDAPS. Firewall Configuration: Adjust your firewall settings to allow traffic on the LDAPS port (636) and block traffic on the regular LDAP port (389) if you want to restrict it. Test the Configuration: Test the LDAPS configuration to ensure that clients can connect securely. Use tools like LDP.exe or LDAPsearch to verify the LDAPS connection. Monitor and Audit: Implement monitoring and auditing to track LDAP and LDAPS activity. Regularly review logs for any security-related events.
This video helped me tremendously!! I was building out a Forticlient Cloud EMS server for VPN and all of our root CA Certs were expired and couldn't figure out how to setup LDAPS on DCs. Thanks Sooooo Much!! Do you know how I can export the .PEM file for this Root CA cert to upload to Forticlient Cloud EMS server?
Hey, Have you got a solution with respect to .PEM file for this Root CA.. I'm looking for something similar (Aruba Fabric Composure). Kindly help me out if you have figured out a solution.
adding a reply with what you say is horrible advice, without providing at least some follow up as to why, or links to articles is Horrible advice as well.
@@porks0da For security purposes, if you need to turn off the CA there is no way to do it, having these roles, same goes for print server, Stability, performance and security.
