Enable LDAP over TLS on the server
Before your SMB server can use TLS for secure communication with an Active Directory LDAP server, you must modify the SMB server security settings to enable LDAP over TLS.
Beginning with ONTAP 9.10.1, LDAP channel binding is supported by default for both Active Directory (AD) and name services LDAP connections. ONTAP will try channel binding with LDAP connections only if Start-TLS or LDAPS is enabled along with session security set to either sign or seal. To disable or reenable LDAP channel binding with AD servers, use the -try-channel-binding-for-ad-ldap
parameter with the vserver cifs security modify
command.
To learn more, see:
-
Configure the SMB server security setting that allows secure LDAP communication with Active Directory LDAP servers:
vserver cifs security modify -vserver vserver_name -use-start-tls-for-ad-ldap true
-
Verify that the LDAP over TLS security setting is set to
true
:vserver cifs security show -vserver vserver_name
If the SVM uses the same LDAP server for querying name-mapping or other UNIX information (such as users, groups, and netgroups), then you must also modify the
-use-start-tls
option by using thevserver services name-service ldap client modify
command.