Is it possible to use LDAPS

Question

Question

Keith Carson · Jul 11, 2023

Our LDAP authentication is set to a specific servername, we would like to use LDAPS and a virtual name pointing to our load balancer.

Product version: Caché 2018.1

$ZV: 2018.1.2 (Build 309U)

Discussion (5)2

Log in or sign up to continue

Jeffrey Drumm · Jul 11, 2023

Depends on your platform (although that may have changed since the last time I configured an LDAP setup).

With Caché/IRIS running on *nix variants, the only option is STARTTLS, which is encrypted but uses the "standard" port 389. With Windows, I believe "LDAP over SSL" (aka LDAPS) is also an option, on port 686 by default.

Both will require that whatever certificate is served is valid for the load balancer. This is usually accomplished via a certificate Subject Alternative Name value.

1 0

score 0 · Answer 1 · 2023-07-11T14:38:53-04:00

Appreciate your reply Jeff!

I was provided some information by support and I will be trying it out too.

score 0 · Answer 2 · 2023-07-14T10:08:16-04:00

Another option have used is stunnel, on Linux variants (SUSE and RedHat).

Where Cache / IRIS connects to local proxy, which then connects via TLS to LDAP service.

Note: If running proxy in process jail, and find it can't get re-lookup of DNS after being started, ie dns lookup is once on start up. An approach is a mini-service script to monitor the DNS to IP resolution periodically, and auto-restart the stunnel proxy when it changes. One advantage being, if the DNS resolution service is temporarily unavailable, the running proxy carries on using the previously resolved IP address.

score 0 · Answer 3 · 2024-06-27T05:28:24-04:00

Yes, it is possible to use LDAPS with a virtual name pointing to your load balancer. First, ensure your LDAP servers are configured to support LDAPS (LDAP over SSL). Next, configure your load balancer to handle LDAPS traffic and point to your backend LDAP servers. Assign a virtual name (DNS alias) to your load balancer and install an SSL certificate that matches the virtual name. Finally, update your LDAP authentication settings to use the virtual name with the LDAPS protocol. This setup will securely route authentication requests through the load balancer to the appropriate LDAP server.

score 0 · Answer 4 · 2024-10-02T07:04:43-04:00

To switch from LDAP to LDAPS using a virtual name pointing to your load balancer.

You'll need to follow these steps:

Obtain and Install SSL Certificates:- Ensure that the SSL certificates are installed on the load balancer and the LDAP servers. These certificates should be from a trusted Certificate Authority (CA) or be self-signed certificates added to the Caché trust store.

Configure the Load Balancer:- Set up your load balancer with a virtual name that will handle LDAPS traffic. Ensure it forwards the LDAPS requests to the LDAP servers.

Update Caché Configuration:-

Access the Caché management portal:

* Go to System Administration > Security > LDAP Configuration.
* Update the LDAP server name to the virtual name pointing to your load balancer.
* Change the port to 636 (default LDAPS port) or the port your LDAPS is configured to use.

Enable SSL/TLS in Caché:- Ensure that SSL/TLS is enabled for LDAP communication

Test the Configuration:- Validate the connection to ensure that Caché can successfully authenticate using LDAPS through the load balancer. You can do this by attempting to log in or by using a test user.