Highlighted
Honored Contributor.
Honored Contributor.
320 views

LDAP user source - switch to SSL

Word is that Microsoft in March of 2020 is going to stop allowing clear text LDAP. I've been working to make sure all my LDAP binds are all going over TLS and ZCM was one of a couple I found. I'm nervous about changing the config that it's going to reset something that would be aweful. Do I have to worry about that, or I can go into my config and switch it over to use SSL and then mess around with the certs without having to worry?

ZCM 2017

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

Labels (1)
0 Likes
4 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: LDAP user source - switch to SSL

You can enable SSL on your AD LDAP Controllers, but that will not require SSL by default.

Then in the ZCC, you can simply Toggle SSL on/off.  If it fails using SSL, it is clear and obvious right away.

 

--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: LDAP user source - switch to SSL

Thanks Craig,

The reason SSL is not turned on, is when we installed ZCM many years ago we did not have LDAPS support in our AD environment. That was rectified many years ago but nobody circled back to ZCM to enable it, so it was one of very few systems that was still using LDAP without encryption.

I'll mess around with the config during off hours, so as not cause any problems.

I also wanted to get this post out there, so others new that Microsoft has plans to enforce encryption with LDAP. I'm sure there will be a way to disable it, but this is a good reason to verify everything in your environment is using LDAPS.

0 Likes
Highlighted
Contributor.
Contributor.

Re: LDAP user source - switch to SSL

We're in the same boat.  I'm concerned as well.  Tough to change to SSL in production.

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: LDAP user source - switch to SSL

Spoiler
FYI. I switched mine this weekend and it was a piece of cake and caused no issues.


I flipped the switch to turn on SSL and it gave me a warning. I think went into the config for each LDAP server and it has an "update" button that will go fetch the certificate from the LDAP server and then save and move on to the next server.


I made sure to login with a local (non ldap) admin account into ZCM beforehand. When I was done with the changes I logged out, and then tested a login with my ldap account. No issues.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.