Can Live LDAP Lookup authenticate through secure LDAP (636/tcp instead of 389/tcp)?
We can setup the LDAP connection for the lookup plugin to use a secure ldap connection on port 636. To setup the secure ldap connection we need to import the AD certificate into the cacerts keystore on the enforce server. Also see the help on enforce console regarding how to make a secure connection. search for SSL in search, select "Importing SSL certificates to Enforce or Discover servers" from help file menu.
1. You will have to get the AD certificate that you are connecting to in your LDAP lookup plugin configuration. Note: Whatever host you are connecting to, you will get the AD certificate.
2. You will need to import this certificate into the enforce cacerts keystore, see the enforce help file on importing the certificate into enforce cacerts keystore also listed below:
3. Copy the certificate file you want to import to the Enforce Server.
4. Change directory to c:\SymantecDLP\jre\bin on the Enforce Server or Discover Server computer.
5. Execute the keytool utility with the -importcert option to import the public key certificate to the Enforce Server cacerts keystore:
keytool -importcert -alias myAdServer -keystore ..\lib\security\cacerts -file my-domaincontroller.crt
In this example command, myAdServer is a new alias to assign to the imported certificate and my-domaincontroler.crt is the path to your certificate.
6. When you are prompted, enter the password for the keystore.
By default, the password is changeit. If you want you can change the password when prompted.
To change the password, use: keytool -storepasswd -new <newPassword> -alias <aliasName> -keystore <keystore>
Example: keytool -storepasswd -new changeit2 -alias myAdServer -keystore ..\lib\security\cacerts
7. Create a directory connection in enforce, make sure the port is 636 and you check the box for secure connection. Once connection is successful save the connection on enforce.
8. On your Ldap lookup plug configuration, use the secure_ldap connection you created in the previous steps, and test the ldap plugin.
You will now be pulling data securely over port 636 for the ldap plugin, which is now secure.