LDAPS concepts

You must understand certain terms and concepts about how ONTAP secures LDAP communication. ONTAP can use START TLS or LDAPS for setting up authenticated sessions between Active Directory-integrated LDAP servers or UNIX-based LDAP servers.

Terminology

There are certain terms that you should understand about how ONTAP uses LDAPS to secure LDAP communication.

LDAP
(Lightweight Directory Access Protocol) A protocol for accessing and managing information directories. LDAP is used as an information directory for storing objects such as users, groups, and netgroups. LDAP also provides directory services that manage these objects and fulfill LDAP requests from LDAP clients.
SSL
(Secure Sockets Layer) A protocol developed for sending information securely over the Internet. It has been deprecated in favor of TLS. SSL is not supported in ONTAP 9.0-9.4.
TLS
(Transport Layer Security) An IETF standards track protocol that is based on the earlier SSL specifications. It is the successor to SSL.
LDAPS (LDAP over SSL or TLS)
A protocol that uses TLS or SSL to secure communication between LDAP clients and LDAP servers. The terms LDAP over SSL and LDAP over TLS are sometimes used interchangeably; TLS is supported by ONTAP 9 and later, SSL is supported by ONTAP 9.5 and later.
  • In ONTAP 9.5-9.8, LDAPS can only be enabled on port 636. To do so, use the -use-ldaps-for-ad-ldap parameter with the vserver cifs security modify command.
  • Beginning in ONTAP 9.9.1, LDAPS can be enabled on any port, although port 636 remains the default. To do so, set the -ldaps-enabled parameter to true and specify the desired -port parameter. For more information, see the vserver services name-service ldap client create man page
Note: It is a NetApp best practice to use Start TLS rather than LDAPS.
Start TLS
(Also known as start_tls, STARTTLS, and StartTLS) A mechanism to provide secure communication by using the TLS protocols.

ONTAP uses STARTTLS for securing LDAP communication, and uses the default LDAP port (389) to communicate with the LDAP server. The LDAP server must be configured to allow connections over LDAP port 389; otherwise, LDAP TLS connections from the SVM to the LDAP server fail.

How ONTAP uses LDAPS

ONTAP supports TLS server authentication, which enables the SVM LDAP client to confirm the LDAP server's identity during the bind operation. TLS-enabled LDAP clients can use standard techniques of public-key cryptography to check that a server's certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the client's list of trusted CAs.

LDAP supports STARTTLS to encrypt communications using TLS. STARTTLS begins as a plaintext connection over the standard LDAP port (389), and that connection is then upgraded to TLS.

ONTAP supports the following:

By default, LDAPS is disabled.