PGP Encryption Server Directory Synchronization cannot use IP address for LDAPS (Symantec Encryption Management Server)
Article ID: 197991
Updated On:
Products
Issue/Introduction
PGP Encryption Server Directory Synchronization can connect to Windows Active Directory domain controllers for enrollment, user validation and authentication.
The security of Active Directory domain controllers is paramount and whenever using LDAP functionality, configuring the DC to reject LDAP (Non-TLS) simple binds that are performed on a clear text connection. Therefore the PGP Encryption Server should be configured to use LDAPS not LDAP.
LDAP uses port 389 for clear-text queries, and if the domain controller is a global catalog server, port 3268.
LDAPS uses port 636 for secure/encrypted connections to the DC and if the DC uses a global catalog server, port 3269.
The PGP Encryption Server does not need to trust the certificates in the issuing chain of the domain controller's certificate and will work out of the box without special configuration.
However; if you specify the domain controller Hostname as an IP address, the LDAPS connection will fail when you click the Test Connection button:
The following Information message will be logged to the Administration log where 192.168.1.100 is the IP address of the domain controller and 3269 is the port:
Test LDAP connection fail: 192.168.1.100:3269
Cause
TLS connections rely on the Hostname matching the Common Name (CN) of the domain controller's certificate.
Resolution
As LDAPS should always be used, always specify the FQDN (fully qualified domain name) of the domain controller in the Hostname field when configuring Directory Synchronization.
Using the FQDN allows proper TLS certificate validation to be completed.
This name should match the Common Name (CN) of the domain controller's certificate.
For more general information on how to configure Directory Synchronization, see the following article:
Additional Information
Feedback
