LDAP over TLS concepts

You must understand certain terms and concepts about how ONTAP uses TLS to secure LDAP communication. ONTAP can use LDAP over TLS for setting up authenticated sessions between Active Directory-integrated LDAP servers or UNIX-based LDAP servers.

Terminology

There are certain terms that you should understand about how ONTAP uses LDAP over SSL to secure LDAP communication.

LDAP
(Lightweight Directory Access Protocol) A protocol for accessing and managing information directories. LDAP is used as an information directory for storing objects such as users, groups, and netgroups. LDAP also provides directory services that manage these objects and fulfill LDAP requests from LDAP clients.
SSL
(Secure Sockets Layer) A protocol developed for sending information securely over the Internet. Beginning with ONTAP 9, SSL is no longer supported.
TLS
(Transport Layer Security) An IETF standards track protocol that is based on the earlier SSL specifications. It is the successor to SSL.
LDAP over TLS
(Also known as LDAPS) A protocol that uses TLS to secure communication between LDAP clients and LDAP servers. The terms LDAP over SSL and LDAP over TLS are sometimes used interchangeably; TLS is supported by ONTAP 9 and later, SSL is supported by ONTAP 9.5 and later.
Start TLS
(Also known as start_tls, STARTTLS, and StartTLS) A mechanism to provide secure communication by using the TLS protocols.

ONTAP uses STARTTLS for securing LDAP communication, and uses the default LDAP port (389) to communicate with the LDAP server. The LDAP server must be configured to allow connections over LDAP port 389; otherwise, LDAP TLS connections from the SVM to the LDAP server fail.

Note: If required in your environment, you can enable LDAP over SSL to use port 636 in ONTAP 9.5 and later releases. To do so, use the -use-ldaps-for-ad-ldap option with the vserver cifs security modify command. However, it is a NetApp best practice to use Start TLS.

How ONTAP uses LDAP over TLS

By default, LDAP communications between client and server applications are not encrypted. This means that it is possible to use a network monitoring device or software and view the communications between LDAP client and server computers. This is especially problematic when an LDAP simple bind is used because the credentials (user name and password) used to bind the LDAP client to the LDAP server are passed over the network unencrypted.

The TLS protocol runs above TCP/IP and below higher-level protocols, such as LDAP. They use TCP/IP on behalf of the higher-level protocols, and in the process, permit a TLS-enabled server to authenticate itself to a TLS-enabled client and permit both machines to establish an encrypted connection. These capabilities address fundamental security concerns about communication over the Internet and other TCP/IP networks.

ONTAP supports TLS server authentication, which enables the SVM LDAP client to confirm the LDAP server's identity during the bind operation. TLS-enabled LDAP clients can use standard techniques of public-key cryptography to check that a server's certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the client's list of trusted CAs.

LDAP supports STARTTLS to encrypt communications using TLS. STARTTLS begins as a plaintext connection over the standard LDAP port (389), and that connection is then upgraded to TLS.

ONTAP supports the following:

By default, LDAP over TLS is disabled.