Skip to Content
Setup Guide2. Prepare ADLDAPS Configuration

LDAPS Configuration

⏱️5 minutes

Verify that LDAPS (LDAP over SSL) is enabled on your Domain Controller.

Password operations require LDAPS. Without an encrypted connection, AD will reject password changes.

Check LDAPS Status

Quick Test

Run this from the connector server (or any machine):

$dcName = "dc01.company.local"  # Replace with your DC
 
Test-NetConnection -ComputerName $dcName -Port 636
Expected Result
ComputerName     : dc01.company.local
RemoteAddress    : 192.168.1.10
RemotePort       : 636
TcpTestSucceeded : True

If TcpTestSucceeded: False, LDAPS is not enabled or port is blocked.

Verify Certificate

Test the SSL certificate:

$dcName = "dc01.company.local"
$port = 636
 
try {
    $tcpClient = New-Object System.Net.Sockets.TcpClient
    $tcpClient.Connect($dcName, $port)
    $sslStream = New-Object System.Net.Security.SslStream($tcpClient.GetStream())
    $sslStream.AuthenticateAsClient($dcName)
 
    Write-Host "LDAPS connection successful!" -ForegroundColor Green
    Write-Host "Certificate Subject: $($sslStream.RemoteCertificate.Subject)"
    Write-Host "Expires: $($sslStream.RemoteCertificate.GetExpirationDateString())"
 
    $sslStream.Close()
    $tcpClient.Close()
} catch {
    Write-Host "LDAPS connection failed: $_" -ForegroundColor Red
}
Expected Result
LDAPS connection successful!
Certificate Subject: CN=dc01.company.local
Expires: 12/31/2025 11:59:59 PM

If LDAPS is Not Enabled

LDAPS requires a certificate on the Domain Controller. Common approaches:

If you have an Enterprise CA in your domain:

  1. Open Certificates snap-in on DC (Local Computer)
  2. Request a new certificate
  3. Select Domain Controller or Domain Controller Authentication template
  4. Complete the request

The DC will automatically start listening on port 636.

Option 2: Self-Signed Certificate

For testing or small environments:

# Run on Domain Controller as Administrator
$cert = New-SelfSignedCertificate `
    -DnsName "dc01.company.local" `
    -CertStoreLocation "cert:\LocalMachine\My" `
    -KeyExportPolicy Exportable `
    -KeySpec KeyExchange `
    -NotAfter (Get-Date).AddYears(5)
 
Write-Host "Certificate created: $($cert.Thumbprint)"
 
# Note: Restart the DC or wait for LDAPS to become available

Self-signed certificates work but you may need to configure the connector to skip certificate verification (not recommended for production).

Option 3: Let’s Encrypt / Public CA

For DCs with public DNS names, you can use Let’s Encrypt or another public CA.

Decision Tree

Is port 636 open on DC?
├── No → Is Enterprise CA available?
│         ├── Yes → Request Domain Controller certificate
│         └── No → Use self-signed certificate

└── Yes → Test SSL connection
          ├── Succeeds → ✅ Ready
          └── Fails → Check certificate validity
🔧If Something Goes Wrong
SymptomCauseSolution
Port 636 not listeningNo certificate on DCInstall Domain Controller certificate
Certificate expiredAuto-renewal not configuredRequest new certificate or configure auto-enrollment
Certificate name mismatchCertificate doesn't match DC nameRequest new cert with correct subject or SAN

Alternative: StartTLS

If you can’t enable LDAPS, you can use LDAP with StartTLS:

# In connector config
ad:
  port: 389
  tls_mode: starttls

This uses port 389 but upgrades to TLS after connection.

Next Step

→ Permissions Script
Last updated on
Service AccountPermissions Script