Encryption Management Server Directory Synchronization cannot use IP address for LDAPS

book

Article ID: 197991

calendar_today

Updated On:

Products

Encryption Management Server Powered by PGP Technology Encryption Management Server Gateway Email Encryption Gateway Email Encryption Powered by PGP Technology

Issue/Introduction

Encryption Management Server Directory Synchronization can connect to Windows Active Directory domain controllers using either LDAP or LDAPS.

Microsoft states that the security of Active Directory domain controllers can be significantly improved by configuring the server to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. Therefore Encryption Management Server should be configured to use LDAPS not LDAP.

LDAP uses port 389 or, if the domain controller is a global catalog server, port 3268. LDAPS uses port 636 or, if the domain controller is a global catalog server, port 3269.

Encryption Management Server does not need to trust the certificates in the issuing chain of the domain controller's certificate.

However, if you specify the domain controller Hostname as an IP address, the LDAPS connection will fail when you click the Test Connection button:

The following Information message will be logged to the Administration log where 10.1.2.3 is the IP address of the domain controller and 3269 is the port:

Test LDAP connection fail: 10.1.2.3:3269.

Cause

TLS connections rely on the Hostname matching the Common Name (CN) of the domain controller's certificate.

Environment

Symantec Encryption Management Server 3.4 and above.

Resolution

Always specify the FQDN (fully qualified domain name) of the domain controller in the Hostname field when configuring Directory Synchronization. This name should match the Common Name (CN) of the domain controller's certificate.

For more general information on how to configure Directory Synchronization, see article 180239

Attachments