LDAPSecurityType

The security type to use for communications with the LDAP server. Use one of the following options:

  • ClearText. Use plain text communications.

  • SSL. Use Secure Socket Layer (SSL/TLS) communications. Use this option to connect to an LDAPS port. If you choose this option you might need to set the parameter LDAPPort. Port 636 is often used for LDAPS.
  • TLS. Use StartTLS. Use this option to connect to a normal LDAP port but upgrade the connection to use SSL/TLS.
  • Kerberos. Use Kerberos security for communications.

    NOTE: When you are using a Kerberized LDAP server, you must also set LDAPKerberosRealm to the Kerberos realm. In addition, you must either:

    • Set BaseDN to the name of a user who can get a Ticket-Granting-Ticket within Kerberos, and BaseDNPassword to the password for this user.
    • Run Community in an environment where a kinit has been performed by a user that can access LDAP using the SASL GSSAPI mechanism. Community can use Kerberos credentials held in its environment, so in this case BaseDN and BaseDNPassword are not required.

NOTE: IDOL uses OpenLDAP to provide LDAP support on most platforms, and the Microsoft LDAP implementation on Windows. You might need to make some changes in the environment.

For example, to use SSL communications, you must install the SSL certificate of the LDAP server for the user that runs IDOL Server. You must also turn off client verification on the LDAP server, or create a client certificate for IDOL Server (signed by a Certification Authority (CA) that the LDAP server trusts).

On Windows, you can ensure the LDAP server SSL certificate is trusted by adding the correct certificates to your “Trusted Root Certification Authorities”.

With OpenLDAP on Linux, you can configure TLS options such as the certificate paths (LDAPTLS_CACERT) or minimum protocol version (LDAPTLS_PROTOCOL_MIN) by changing the parameters in your LDAP configuration file. Note that OpenLDAP tries multiples locations for the configuration file. For more information, see https://openldap.org/software/man.cgi?query=ldap.conf.

Type: String
Default: ClearText
Required: No
Configuration Section: MySecurityRepository
Example: LDAPSecurityType=SSL
See Also: LDAPPort
LDAPServer
LDAPKerberosRealm