Enabling secure LDAP (LDAPS)

If your LDAP server supports LDAP over SSL (LDAPS), you can configure Build Forge LDAP domain entries to use LDAPS as well. Strict SSL is configured by default. Strict SSL requires server certification.
  1. Create an LDAP domain entry in Build Forge.
  2. Set the Protocol property to LDAPS. This will enable an encryption-only method of LDAPS.
  3. Set the Host to the fully qualified domain name and SSL port of your LDAP server. Port 636 is the defined default for strict secure LDAP. Example: myldap.mycompany.com:636.
  4. Get a signer certificate from the LDAP server and add it to the Build Forge truststore. Outbound LDAP is configured by default to use the following settings in Administration > Security:
    • SSL panel: Default JSSE Outbound SSL
    • Keystore panel: Default JSSE Trust Store. This trust store is set to use <bfinstall>/keystore/buildForgeTrustStore.p12 by default. Place the signer certificate here.
  5. Restart Build Forge.
  6. Go to Administration > Security and select your secure LDAP configuration.
  7. Click Test Connection.
Note: Strict LDAPS SSL is set in Build Forge by default. The strict configuration requires server certificate validation. If you do not want to use strict LDAP, do the following:
  1. Set Tomcat system property -Dcom.buildforge.services.server.ldap.strict=false in the JAVA_OPTS environment variable. Tomcat scripts read this variable and apply any system properties specified to the Tomcat process.
  2. Restart Build Forge.

In this configuration you do not have to add the LDAP server certificate to the Build Forge truststore. However, this configuration is a weak implementation of the SSL protocol design. Build Forge does not verify the LDAP server's identity during communication with it.


Feedback