If your LDAP server supports LDAP over SSL (LDAPS), you can configure
Build Forge LDAP domain entries to use LDAPS as well. Strict SSL is
configured by default. Strict SSL requires server certification.
- Create an LDAP domain entry in Build Forge.
- Set the Protocol property to LDAPS. This
will enable an encryption-only method of LDAPS.
- Set the Host to the fully qualified domain
name and SSL port of your LDAP server. Port 636 is the defined default
for strict secure LDAP. Example: myldap.mycompany.com:636.
- Get a signer certificate from the LDAP server and add it to the
Build Forge truststore. Outbound LDAP is configured by default to
use the following settings in :
- SSL panel: Default JSSE Outbound SSL
- Keystore panel: Default JSSE Trust Store. This trust store is
set to use <bfinstall>/keystore/buildForgeTrustStore.p12 by
default. Place the signer certificate here.
- Restart Build Forge.
- Go to and select your secure LDAP configuration.
- Click Test Connection.
Note: Strict LDAPS SSL is set in Build Forge by default. The strict
configuration requires server certificate validation. If you do not
want to use strict LDAP, do the following:
- Set Tomcat system property -Dcom.buildforge.services.server.ldap.strict=false in
the JAVA_OPTS environment variable. Tomcat scripts read this variable
and apply any system properties specified to the Tomcat process.
- Restart Build Forge.
In this configuration you do not have to add the LDAP server
certificate to the Build Forge truststore. However, this configuration
is a weak implementation of the SSL protocol design. Build Forge does
not verify the LDAP server's identity during communication with it.