Is it possible to use LDAPS

Question

Question

Keith Carson · Jul 11, 2023

Our LDAP authentication is set to a specific servername, we would like to use LDAPS and a virtual name pointing to our load balancer.

Product version: Caché 2018.1

$ZV: 2018.1.2 (Build 309U)

Discussion (3)2

Log in or sign up to continue

Jeffrey Drumm · Jul 11, 2023

Depends on your platform (although that may have changed since the last time I configured an LDAP setup).

With Caché/IRIS running on *nix variants, the only option is STARTTLS, which is encrypted but uses the "standard" port 389. With Windows, I believe "LDAP over SSL" (aka LDAPS) is also an option, on port 686 by default.

Both will require that whatever certificate is served is valid for the load balancer. This is usually accomplished via a certificate Subject Alternative Name value.

1 0

score 0 · Answer 1 · 2023-07-11T14:38:53-04:00

Appreciate your reply Jeff!

I was provided some information by support and I will be trying it out too.

score 0 · Answer 2 · 2023-07-14T10:08:16-04:00

Another option have used is stunnel, on Linux variants (SUSE and RedHat).

Where Cache / IRIS connects to local proxy, which then connects via TLS to LDAP service.

Note: If running proxy in process jail, and find it can't get re-lookup of DNS after being started, ie dns lookup is once on start up. An approach is a mini-service script to monitor the DNS to IP resolution periodically, and auto-restart the stunnel proxy when it changes. One advantage being, if the DNS resolution service is temporarily unavailable, the running proxy carries on using the previously resolved IP address.