Online Help > Support/Resources > Knowledge Base

Enforcing usage of LDAPS

Description

 

To require that a directory server rejects simple binds which occur on a clear text connection. you must apply a policy.

 

Please refer to How to enable LDAP signing in Windows Server 2008 for the original article, but we will duplicate the content here for ease of use  (especially since we hard a hard time finding it ourselves...).

 

How to configure the directory to require LDAP server signing using Group Policy

 

How to set the server LDAP signing requirement

 

1.Click Start, click Run, type mmc.exe, and then click OK.

2.On the File menu, click Add/Remove Snap-in.

3.In the Add or Remove Snap-ins dialog box, click Group Policy Management Editor, and then click Add.

4.In the Select Group Policy Object dialog box, click Browse.

5.In the Browse for a Group Policy Object dialog box, click Default Domain Policy under the Domains, OUs and linked Group Policy Objects area, and then click OK.

6.Click Finish.

7.Click OK.

8.Expand Default Domain Controller Policy, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.

9.Right-click Domain controller: LDAP server signing requirements, and then click Properties.

10.In the Domain controller: LDAP server signing requirements Properties dialog box, enable Define this policy setting, click to select Require signing in the Define this policy setting drop-down list, and then click OK.

11.In the Confirm Setting Change dialog box, click Yes.

 

How to set the client LDAP signing requirement through local computer policy

 

1.Click Start, click Run, type mmc.exe, and then click OK.

2.On the File menu, click Add/Remove Snap-in.

3.In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, and then click Add.

4.Click Finish.

5.Click OK.

6.Expand Local Computer Policy, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.

7.Right-click Network security: LDAP client signing requirements, and then click Properties.

8.In the Network security: LDAP client signing requirements Properties dialog box, click to select Require signing in the drop-down list, and then click OK.

9.In the Confirm Setting Change dialog box, click Yes.

 

How to set the client LDAP signing requirement through a domain Group Policy Object

 

1.Click Start, click Run, type mmc.exe, and then click OK.

2.On the File menu, click Add/Remove Snap-in.

3.In the Add or Remove Snap-ins dialog box, click Group Policy Object Editor, and then click Add.

4.Click Browse, and then select Default Domain Policy (or the Group Policy Object for which you want to enable client LDAP signing).

5.Click OK.

6.Click Finish.

7.Click Close.

8.Click OK.

9.Expand Default Domain Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.

10.In the Network security: LDAP client signing requirements Properties dialog box, click to select Require signing in the drop-down list, and then click OK.

11.In the Confirm Setting Change dialog box, click Yes.