is ssl required for 363 port for LDAP profile

cancel
Showing results for 
Search instead for 
Did you mean: 

is ssl required for 363 port for LDAP profile

L1 Bithead

Our client has LDAP configured with 363 port, ssl/tls box unchecked. having issue with GP connection, showing error as 'ldap cfg SCB_Group_7 failed to connect to server: Can\'t contact LDAP server'.

2 REPLIES 2

Cyber Elite
Cyber Elite

Hi @HussainMohammed ,

 Do you mean port 636 - which is default for LDAPS? Or you use custom port 363?

Changing only the port in LDAP profile doesn't really enable encryption. Firewall will still try to use plaintext LDAP over 636 if you don't have enabled ssl/tls checkbox. If you want to use encrypted LDAP you need to check the box and put the ports that DC is configured to allow.

 

It is intersting to note what official documentation says about enabling the checkbox and with different ports:

Astardzhiev_0-1636881345097.png

 

 

The error you receive indicates that firewall is not able to make LDAP queries. There are few reasons, from no network connection between FW and DC, DC requires encryption, to bind credentials are incorrect or lack permissions.

 

- Have you confirm network connectivity between FW and DC? Try to ping DC from firewall.

- If you not sure if ping is allowed to DC, it probably better to set a packet capture on the FW. This will show you not only if TCP session is established, but also what reply you get from DC, when bind request is sent.

- The easiest way to test connection to LDAP (and not way for user to try to authenticate) is to try to create group mapping and try to expand the domain tree - this way FW will try to pull domain structure from DC over LDAP, which will generate traffic that you can capture.

 

 

Cyber Elite
Cyber Elite

@HussainMohammed,

Another thing to check outside of what @Astardzhiev mentioned is that you aren't dropping the LDAPS traffic on the firewall itself if your management interface traffic has to route through security zones. The firewall will see LDAPS traffic as standard SSL traffic, so you'll either need to create an application-override entry, a custom app-id, or just allow ssl over 636/tcp in your security rulebase.

I've seen a lot of people spend a lot of time troubleshooting LDAPS issues without verifying that the traffic is actually getting allowed.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!