What is LDAP?
LDAP (Lightweight Directory Access Protocol) is an internet protocol that allows your WCM website to communicate to your directory server. This allows users to authenticate using their network credentials.
Is LDAP Secure?
When implemented as "Secure LDAP" (AKA "LDAP over SSL/TLS") the exchange between your website and your directory server is encrypted using the same technology that protects business transactions across the internet. This is the only version of LDAP that we will implement.
LDAP by its nature requires your server to be accessible over the internet, and there is always some risk in that connection. You can mitigate that risk by limiting the traffic you'll accept to only the IP addresses our servers communicate over, but your security policies may require additional risk mitigation. Consult your appropriate network professionals prior to scheduling LDAP to be sure this service is appropriate for you.
Is Secure LDAP the same as Secure Login?
No. Secure Login encrypts the communication between browsers and our servers. Secure LDAP governs the communication between our servers and your servers. It is possible, though not advisable to have one without the other.
Is LDAP Reliable?
It is as reliable as you make it. LDAP is best seen as a service that you provide. Our servers send login requests to an address you provide through a firewall you maintain mapped to a server you administer using accounts you provided. If these resources are maintained and monitored appropriately and communicate any changes to us in advance, then you'll have a successful deployment.
Is LDAP Required? Are There Other Alternatives?
LDAP is an optional service included in the "Essentials" package. It is not required. We also offer integration through the SAML protocol if you are using ADFS 2.0, 3.0 or 4.0. There may be an additional service fee to implement SAML. Check with your Project Manager.
I Have Users Spread Across Multiple Domains. Can I Use LDAP?
If the multiple domains are all part of the same global catalog, you may be able to access all of them on a single instance by querying to your global catalog (port 3289). If this isn't an option, there is an option available to support multiple LDAP instances, each to a separate domain. There may be an additional service fee to implement multi-domain LDAP.
If my LDAP Connection Stops Working. What should I do?
Our support team is available to assist with any LDAP outage and have several techniques we can walk you through to mitigate an outage- sudden or anticipated, but please include your network team in the investigation as early as possible. Since LDAP previously worked with the addresses, accounts, and certificates you provided, one of the earliest tasks will be to compare these settings with the values your network is currently using to identify anything that may have changed or expired.
Can I use port X for LDAP?
Currently, our product only supports secure LDAP over the default secure LDAP ports. Those are port 636 for most LDAP implementations or port 3269 for the global catalog. Although the product allows you to specify a port, all other port traffic will be sent under standard LDAP- encoded, but not encrypted through SSL/TLS.
What Is Group Mapping?
An advanced (optional) feature of our LDAP implementation is called group mapping. Most users are organized into groups in your directory server. You may find you have similar groups within your website. By "mapping" these groups together, you can reduce the effort to maintain accurate memberships. A user who is part of the group in your LDAP server will be assigned that mapped group in your website. A user removed from that group in your LDAP server will be removed from that group in your website.
Why do you need my directory server's certificate?
When you prepare secure LDAP on your directory server, you will install a certificate on your server. This certificate will encrypt the communication between our servers and your directory server. However, before communication can occur, our servers need to assure the certificate presented comes from a trusted source.
- If your certificate is issued by a public entity (such as Verisign) then the source is already trusted. Any public authority already trusted by most browser installations is already trusted by our servers.
- If your certificate is issued by another server within your network (a Certificate Authority (CA)) then we must add that CA to our servers' list of "trusted root authorities." To do this, we'll need a copy of that CA's own certificate.
- If you have multiple CA's working in a hierarchy, then we'd need to trust all CA's in the chain to build a complete trusted chain of authority.
- When these certificates expire, LDAP will cease working until we have renewed the trust by adding the new certificates.
- If your certificate is self-signed (your AD served as its own CA) then we would only need that AD's certificate delivered and installed.
Other Secure LDAP users don't need my certificate. Why do you?
Our servers are required to trust any certificate issuer before accepting a certificate. This provides a heightened level of security, as the certificate provides both encryption and proof of identity. Some vendors may choose to only use the certificate for identity.