Home

LDAPS

LDAPS stands for LDAP over SSL/TLS and refers to using the Lightweight Directory Access Protocol (LDAP) over an encrypted TLS/SSL connection. In practice, LDAPS is implemented by connecting to the directory server on port 636 and performing the TLS handshake immediately after establishing the TCP connection.

Once TLS is established, LDAP operations (bind, search, modify, and other actions) occur over the encrypted channel.

Certificate requirements: LDAPS requires the directory server to hold a valid certificate with a private key,

Relationship to StartTLS: Some deployments prefer StartTLS on the standard LDAP port 389 to negotiate TLS after

Security considerations: Maintain valid certificates, monitor expiry, implement revocation checking, and disable weak encryption suites. Encryption

The
server
presents
an
X.509
certificate;
the
client
must
validate
it
against
its
trust
store
and
exchange
TLS
parameters
to
complete
the
session.
The
authentication
method
used
at
the
LDAP
layer
(for
example
simple
bind
with
a
password
or
SASL-based
methods)
is
then
carried
out
inside
the
protected
channel.
issued
by
a
trusted
CA,
and
the
certificate's
subject
or
SAN
must
match
the
server
hostname.
Clients
must
trust
the
issuing
CA.
In
many
deployments
such
as
Active
Directory,
a
domain
controller
must
be
configured
with
an
appropriate
certificate
and
LDAPS
must
be
enabled
on
port
636.
the
connection
is
established,
offering
easier
firewall
traversal
and
certificate
management.
Both
LDAPS
and
StartTLS
provide
encryption
of
LDAP
traffic,
but
they
differ
in
how
TLS
is
negotiated
and
how
certificates
are
presented.
protects
data
in
transit
but
does
not
address
server
configuration
flaws,
authorization
mistakes,
or
data
at
rest.
LDAPS
is
commonly
used
with
directory
services
like
Active
Directory
and
OpenLDAP,
but
modern
guidance
often
favors
StartTLS
due
to
operational
flexibility.