Configure LDAPS for Active Directory connections in Cayosoft Guardian
This article describes how to configure Cayosoft Guardian and the Forest Recovery Agent to connect to Active Directory over LDAPS (LDAP over SSL/TLS). LDAPS is required in environments where plaintext LDAP traffic on port 389 has been disabled or where security policy requires TLS-encrypted directory traffic.
Prerequisites
Before enabling LDAPS in Cayosoft Guardian, confirm the following on each domain controller that you intend to manage:
A valid server authentication certificate is installed in the domain controller's Personal certificate store. The certificate Subject or Subject Alternative Name must include the fully qualified domain name (FQDN) of the domain controller.
-
The LDAPS listener on the domain controller is reachable on TCP port 636. To test connectivity from the Guardian server, run the following command:
CopyTest-NetConnection dc01.contoso.com -Port 636 Global Catalog over SSL is reachable on TCP port 3269 on Global Catalog servers.
If you plan to use strict certificate validation, the issuing CA chain is installed in the Trusted Root Certification Authorities and Intermediate Certification Authorities stores on every Guardian and Forest Recovery Agent host.
Step 1. Decide on a connection mode
Cayosoft Guardian supports the following LDAPS configuration options:
| Mode | Setting | When to use |
|---|---|---|
Default, with automatic fallback |
|
Use this mode in mixed environments where some domain controllers accept LDAP on port 389 and others accept only LDAPS on port 636. Cayosoft Guardian connects to port 389 first and silently falls back to port 636 when LDAP is unavailable. |
Explicit LDAPS only |
|
Use this mode in environments where port 389 is fully disabled or where security policy requires TLS for all directory traffic. Cayosoft Guardian does not connect to port 389. |
Strict certificate validation |
|
Use this option in compliance environments where the domain controller certificate chain must be validated against the trusted CA stores on the Guardian and Forest Recovery Agent hosts. |
Step 2. Configure the Cayosoft Guardian service
Open the Cayosoft Guardian web portal.
Go to System Settings > Active Directory.
Set Use LDAPS as required for your environment.
Set Skip LDAPS certificate validation as required for your environment.
Save the settings.
Restart the Cayosoft Guardian service if prompted.
Step 3. Configure the Forest Recovery Agent
If the Forest Recovery Agent runs on a separate host, repeat the LDAPS configuration in the agent settings.
For more information, see Forest Recovery Settings.
Step 4. Verify the configuration
In the Cayosoft Guardian web portal, go to Active Directory >Domain Controllers.
Confirm that every expected domain controller is reachable.
Perform a low-impact management operation against a domain controller that accepts only LDAPS. For example, view the properties of a test user.
-
Open the Cayosoft Guardian service log and confirm that one of the following entries is present:
CopyLDAPS connection to {dc}:636 established
LDAPS fallback to {dc}:636 succeeded
NOTE: The LDAPS fallback to {dc}:636 succeeded entry applies to the default mode when Cayosoft Guardian falls back to LDAPS because LDAP on port 389 is unavailable.
Decision guidance
If you are enabling LDAPS one domain controller at a time, leave
useLdaps = falseand rely on automatic fallback while you roll out LDAPS across the forest. After LDAPS is available on every domain controller, setuseLdaps = trueto enforce LDAPS-only connections.Use
ldapsSkipCertificateValidation = trueonly as a temporary measure. For long-term operation, deploy the correct CA chain to every Cyaosoft Guardian and Forest Recovery Agent host, and setldapsSkipCertificateValidation = false.
Related articles
Security guide, section 3.5, LDAP connection security
Comments
0 comments
Please sign in to leave a comment.