Configuring Active Directory LDAPS
This section describes the procedure for using LDAPS to connect with Active Directory.
[ Reference ]
- The procedure described on this page is necessary only when LDAPS is used to connect with Active Directory.
- Contact Microsoft or your support vendor for inquiries on configuring Active Directory.
Follow the procedure below to configure and use LDAPS:
1. Enable LDAP signing and LDAP channel binding (Active Directory)
Enable Active Directory LDAP signing and LDAP channel binding.
Refer to the following pages for more information on the procedures to enable LDAP signing and LDAP channel binding.
- How to enable LDAP signing in Windows Server
- Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL/TLS more secure
2. Issue and install a server certificate (Active Directory)
Issue a certificate to be used for LDAPS connection and install it in Active Directory by any of the following methods:
- Active Directory Certificate Services
Install in Active Directory a server certificate issued using Active Directory Certificate Services.
Refer to the following page for more information on the procedure to enable Active Directory Certificate Services and issue a server certificate.- Step-by-Step Guide to Setup LDAPS on Windows Server, “Setup LDAPS (LDAP over SSL)”
- Third-party CA
Install in Active Directory a server certificate issued by a certification authority (CA) other than Active Directory Certificate Services.
Refer to the following page for more information on how to install a third-party CA.
[ Reference ]
When you use a third-party CA certificate, contact the certification authority (CA) that you use for inquiries on certificate settings.
3. Install a root certificate (Directory Sync host)
To verify signatures of LDAPS connections made by Directory Sync, install a root certificate on the Directory Sync host by using any of the following methods
[ Reference ]
If a root certificate has already been installed on the Directory Sync host, this step is unnecessary.
[ Note ]
A server certificate is not verified in Directory Sync version 2.3.0.
To verify a server certificate, use Directory Sync of version 3.0.0 or later.
- Active Directory Certificate Services
Obtain and install the root certificate for the server certificate issued using Active Directory Certificate Services.
Refer to the following page for more information on how to export a root certificate. - Third-party CA
Obtain and install the root certificate for the server certificate installed in Active Directory.