close icon
Home Page
Products

Products

PAM logo
Privileged Access Management
PEM logo
Endpoint Privilege Management
PPA logo
Automation
Industries

Industries

school_line
Education
bank_line
Finance
government_line
Government and Defence
hospital_line
Healthcare
computer_line
IT Operations
settings_5_line
Industrial Control Systems
briefcase_line
Legal
store_2_line
Retail
Partners

Partners

Resellers and Distributors
Partner marketing support
Partner opportunity
Resources

Resources

tool_line
Free Tools
bookmark_line
Blog
file_search_line
Case Studies
usb_line
PAM Integrations
video_line
Videos
Webinars
paper_line
White Papers
book_2_line
Osirium University
news_line
Documentation
Company

Company

IDcard_line
About
news_line
News & Events
Team
Investor Hub
Software reviews gold medal
See the report
search_3_line
BOOK A DEMO
home
▸
Documentation
▸
HOW TO

How To: Test LDAPS Configuration

This article explains how to ensure an AD Domain controller has a working LDAPS configuration.

Privileged Access Management Best Practices

Free AD Audit Tool

Audit AD Accounts

The first step to protecting AD accounts is to know what you have. This free tool does just that.

Get the Free Tool
Osirium PAM Express

Free Privileged Access Management

PAM Express

Secure your infrastructure with the fastest to deploy Privileged Access Management solution. Introducing PAM Express from Osirium. For free, for 10 servers or network devices for production use.

Get PAM Express
Checklist for PAM Success

Free Whitepaper

Checklist for PAM Success

Get your free checklist that builds on years of practical experience to provide a roadmap for PAM success.

DOWNLOAD The Free CHECKLIST

Summary

This article has been created to help you check if LDAPS is working. Although from release 7.5.2, LDAP is supported, we still recommend that LDAPS is used for communication between Osirium PAM and your Active Directory.

Using LDAP will only allow read-only access between Osirium PAM and your Active Directory.  This means that you can not change the password of an Active Directory account or create a new account on the Active Directory through Osirium PAM.

This can only be done over LDAPS, hence why Osirium PAM recommends LDAPS to allow full management functionality when using Active Directory.

Applicable Version

Osirium PAM 7.x onwards.

Domain Controller Default

By default Domain Controller(s) listen over LDAP but not LDAPS.  They do however still have an active socket listening on the LDAPS port (TCP 636) but by default, this does not function correctly.

To function correctly the Domain Controller(s) require a certificate (with 'Server Authentication' enabled) to be installed.

This happens automatically for all Domain Controllers if there is a Microsoft Certificate Authority role installed somewhere in the domain and it is configured with an Enterprise Root certificate.

To enable LDAPS on a Domain Controller using a self-signed certificate and without installing the Microsoft Certificate Authority role in the Domain see here (Osirium Support account required).

‍

Testing LDAPS

It is not sufficient to only check if the Domain Controller is listening on the LDAPS port (TCP 636), you also need to confirm if LDAPS is working.

To verify if LDAPS has been configured on your Domain Controller and is functioning correctly, perform the following steps on each Domain Controller that Osirium PAM will need to communicate with:

1. RDP onto the Domain Controller

2. Open the Run dialogue box and run the ldp.exe application.

3. Within the Ldp window, click the Connection menu and select Connect...

4. Within the Connect window, fill in the details as shown below.

LDP connection screen

5. Click OK.

6. If the server is correctly configured for LDAPS then line 5 of the output (you might need to scroll up) will show that the host supports SSL.

screenshot showing the output for a correctly configured server

If the host is NOT configured for LDAPS then the following will be shown.

screenshot showing the output for an incorrectly configured server

If you are running PAM v7.x then you will not be able to connect to the Domain Controller.

If you are running PAM v8.x you can configure SASL over LDAP as an alternative to LDAPS, however LDAPS is the recommended option.

How To

Library

How To: Extend the PAM External Filestore
How To: Sync/create Active Directory user groups in Osirium
How To: Test LDAPS Configuration
Promotion

Ransomware Protection for Backups

Ransomware attacks destroy your data and backups. Get Osirium Fast Protect for just £4,995 to stop attacks deleting your backups.

Protect your backups!
Talk to an expert

Want to know more?

If you have any questions or want to speak to one of our representatives, please complete this form and we'll be in touch.

+44 (0) 118 324 2444
Thank you! Your submission has been received and we'll be in touch
Oops! Something went wrong while submitting the form.
Home Page
cyber essentials certified badge
Industries
EducationFinanceGovernment and DefenceHealthcareIT OperationsIndustrial Control SystemsLegalRetail
Company
AboutTeamBoard of DirectorsInvestor HubJob Opportunities
Resources
Free ToolsBlogPAM IntegrationsVideosWebinarsWhitepapersDatasheetsDocumentationCase Studies
Support
Support PortalOsirium University
© 2023 OSIRIUM. All rights reserved.
AccessibilityPrivacy PolicyEULATerms of ServiceSitemap