Skip to main content

Securing LDAP session communication

There are two ways to enable LDAP secure sessions for queries to the AD server. You can use LDAP signing and sealing, which encrypts traffic (sealing) and protects the integrity (signing) of session traffic between the storage virtual machine (SVM) LDAP client and the LDAP server. Alternatively, you can use LDAP over TLS to encrypt all session traffic.

  • LDAP signing and sealing concepts
    Beginning in ONTAP 9.4, you can configure signing and sealing to enable LDAP session security on queries to an Active Directory (AD) server. You must configure the CIFS server security settings on the storage virtual machine (SVM) to correspond to those on the LDAP server.
  • Enabling LDAP signing and sealing on the CIFS server
    Before your CIFS server can use signing and sealing for secure communication with an Active Directory LDAP server, you must modify the CIFS server security settings to enable LDAP signing and sealing.
  • LDAPS concepts
    You must understand certain terms and concepts about how ONTAP secures LDAP communication. ONTAP can use LDAPS for setting up authenticated sessions between Active Directory-integrated LDAP servers or Linux-based LDAP servers.
  • Configuring LDAP over TLS
    To configure LDAP over TLS, you must export a copy of the self-signed root CA certificate, install the self-signed root CA certificate using the exported file, and then enable LDAP over TLS on the SVM.