Enable LDAP over TLS on the server


Before your SMB server can use TLS for secure communication with an Active Directory LDAP server, you must modify the SMB server security settings to enable LDAP over TLS.

Beginning with ONTAP 9.10.1, LDAP channel binding is supported by default for both Active Directory (AD) and name services LDAP connections. ONTAP will try channel binding with LDAP connections only if Start-TLS or LDAPS is enabled along with session security set to either sign or seal. To disable or reenable LDAP channel binding with AD servers, use the `-try-channel-binding-for-ad-ldap parameter with the cifs security modify command.

  1. Configure the SMB server security setting that allows secure LDAP communication with Active Directory LDAP servers: vserver cifs security modify -vserver vserver_name -use-start-tls-for-ad-ldap true

  2. Verify that the LDAP over TLS security setting is set to true: vserver cifs security show -vserver vserver_name


    If the SVM uses the same LDAP server for querying name-mapping or other UNIX information (such as users, groups, and netgroups), then you must also modify the -use-start-tls option by using the vserver services name-service ldap client modify command.

Related information