You want to configure LDAP signing for the DLP LDAP connections.
You want to use SASL (Simple Authentication and Security Layer) on either port 389 or 636.
Though port 636 is preferred.

When configuring a Directory Connection to setup Groups Directories on the Enforce server, the connection test fails with the following error:

A wireshark capture of the attempt will show the following in the traffic sent back from the LDAP server. This indicates that DLP is not setup to use server signing for these Directory connections, i.e., we require simple bind.

"Could not log in to the directory server with the specified credentials."

00002028: LdapErr: DSID-0C09018A, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection

This occurs even when the connection settings have been verified with an LDAP browser.

The DLP Directory Connections use Simple Bind and cannot work when signing is required on LDAP connections

1. Disable signing requirement on the server (less secure, username and password are sent in cleartext)
2. Enable SSL/TLS on the server - DLP does have the ability to use SSL/TLS, which requires importing the Cert into the Java keystore on the Enforce server.

See the following tech doc for enabling the "Secure" encryption method to use SSL/TLS from the Enforce server and directory server communications.