In April 2012, we released Secret Server v7.8.000036. This was the first release to include support for Secure LDAP often referred to as LDAPS (and not to be confused with SLAPD!) Subsequent releases of Secret Server will support LDAPS. Since the release of LDAPS, it has remained a bit of an unintentional secret (no pun intended). If you have Secret Server installed, check to see if you can enable Secure LDAP in your environment.
Upon installation, Secret Server will use port 389 for LDAP traffic to Domain Controllers. This does NOT mean passwords are transmitted in clear text. It means that user and group names will be translated in clear text. Passwords will be transmitted using Kerberos/NTLM. However, with LDAPS available, all traffic including the user and group names will be encrypted.
Before enabling LDAPS, there is one feature that can potentially be affected. If you are using a Domain Controller on Windows Server 2008 R2, Integrated Windows Authentication is supported with Secure LDAP. However, if you are using Windows Server 2008 or older, Integrated Windows Authentication will have to be disabled when Secure LDAP is used.
How to enable LDAPS:
- Click on Administration -> Active Directory -> Edit Domains -> Select the domain you wish to edit (you can also create a new one here.)
- Click on Advanced as highlighted in the figure below.
- Put a check in the Use LDAPS box.
- Click Save And Validate.
Secret Server will now attempt to use LDAPS over port 636! As with all Secret Server updates, the release notes are always published here: http://www.thycotic.com/Secretserver_releasenotes.html.