How to Change NSX-T/NSX Identity Source Integration from LDAP (Port 389) to Secure LDAPS (Port 636)
search cancel

How to Change NSX-T/NSX Identity Source Integration from LDAP (Port 389) to Secure LDAPS (Port 636)

book

Article ID: 419687

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

The current Active Directory (AD) integration with VMware NSX is configured using the Lightweight Directory Access Protocol (LDAP), which uses the non-secure default port 389.

To enhance security, there is a need to migrate this integration to use LDAP Secure (LDAPS), which utilizes the secure default port 636. This change involves updating the NSX Identity Source configuration to use the secure protocol and properly handle the required X.509 certificates for secure communication.

Environment

VMware NSX

Resolution

Follow these steps within the NSX Manager interface to convert your existing LDAP Identity Source to LDAPS:

  1. Navigate to LDAP Settings: In the NSX Manager UI, go to System > User Management > LDAP.

  2. Edit the Identity Source: Locate and click Edit on the configured Identity Source that you wish to modify.

  3. Access Server Details: Click on the numerical value displayed under the LDAP server column to view and edit the server configuration.

  4. Change Protocol: Change the LDAP Protocol dropdown option to LDAPS.

  5. Configure Certificate: Certificate handling is crucial for LDAPS.

    • Direct Server Connection:

      • If you leave the Certificate text box blank and click Check Status, NSX will attempt to connect to the LDAP server, retrieve its X.509 certificate, and prompt you to trust it.

      • If the certificate is verified as correct, click OK, and the text box will be automatically populated with the retrieved certificate.

      • Recommended: For maximum control and security, manually enter the PEM-encoded X.509 certificate of the LDAP server.

    • Servers Behind an L4 Load Balancer VIP:

      • Same CA: If all LDAP servers behind the VIP present certificates signed by the same Certificate Authority (CA), you must enter the PEM-encoded X.509 certificate of the CA that signed the server certificates.

      • Different CAs (Same Root): If the LDAP servers use certificates signed by different subordinate CAs but are all subordinate to the same root CA, you must add the root CA certificate to the certificate field.

    Note: Entering the CA certificate is vital when using a load balancer. If only a single server certificate is accepted (by clicking Check Status), the connection may fail when the load balancer routes the request to another server with a different certificate/chain.

  6. Apply and Test: Click Apply to save the changes and then use the available testing options to test the authentication to ensure the LDAPS connection is successful.

Additional Information

Integration with LDAP: LDAP Identity Source

Powered by Wolken Software