Enable LDAP over TLS on the server
Before your SMB server can use TLS for secure communication with an Active Directory LDAP server, you must modify the SMB server security settings to enable LDAP over TLS.
Beginning with ONTAP 9.10.1, LDAP channel binding is supported by default for both Active Directory (AD) and name services LDAP connections. ONTAP will try channel binding with LDAP connections only if Start-TLS or LDAPS is enabled along with session security set to either sign or seal. To disable or reenable LDAP channel binding with AD servers, use the
`-try-channel-binding-for-ad-ldap parameter with the
cifs security modify command.
For more information, see 2020 LDAP channel binding and LDAP signing requirements for Windows.
Configure the SMB server security setting that allows secure LDAP communication with Active Directory LDAP servers:
vserver cifs security modify -vserver vserver_name -use-start-tls-for-ad-ldap true
Verify that the LDAP over TLS security setting is set to
vserver cifs security show -vserver vserver_name
If the SVM uses the same LDAP server for querying name-mapping or other UNIX information (such as users, groups, and netgroups), then you must also modify the
-use-start-tlsoption by using the
vserver services name-service ldap client modifycommand.