When you install the Identity Vault, you must specify the ports that the LDAP server monitors so that it can service LDAP requests. As part of default configuration, the ports numbers for clear text and SSL/TLS are set to 389 and 636.
An LDAP Simple Bind requires only a DN and a password. The password is in clear text. If you use port 389, the entire packet is in clear text. Because port 389 allows clear text, the LDAP server services Read and Write requests to the Directory through this port. This openness is adequate for environments of trust, where spoofing does not occur and no one inappropriately captures packets. By default, this option is disabled during the installation.
The connection through port 636 is encrypted. TLS (formerly SSL) manages the encryption. A connection to port 636 automatically instantiates a handshake. If the handshake fails, the connection is denied.
NOTE:The installation program selects port 636 by default for TLS/SSL communications. This default selection might cause a problem for your LDAP server. If a service already loaded on the host server (before eDirectory was installed) uses port 636, you must specify another port. Installations earlier than eDirectory 8.7 treated this conflict as a fatal error and unloaded nldap. After eDirectory 8.7.3, the installation program loads nldap, places an error message in the dstrace.log file, and runs without the secure port.
During the installation process, you can configure Identity Vault to disallow clear passwords and other data. The Require TLS for Simple Bind with Password option discourages users from sending observable passwords. If you do not select this setting, users are unaware that others can observe their passwords. This option, which does not allow the connection, only applies to the clear-text port. If you make a secure connection to port 636 and have a simple bind, the connection is already encrypted. No one can view passwords, data packets, or bind requests.
Consider the following scenarios:
Olga is using a client that asks for a password. After Olga enters a password, the client connects to the server. However, the LDAP server does not allow the connection to bind to the server over the clear-text port. Everyone is able to view Olga's password, but Olga is unable to get a bound connection.
Your server is running Active Directory. Active Directory is running an LDAP program, which uses port 636. You install eDirectory. The installation program detects that port 636 is already used and does not assign a port number for the NetIQ LDAP server. The LDAP server loads and appears to run. However, because the LDAP server does not duplicate or use a port that is already open, the LDAP server does not service requests on any duplicated port.
To verify whether port 389 or 636 is assigned to the NetIQ LDAP server, run the ICE utility. If the Vendor Version field does not specify NetIQ, you must reconfigure LDAP Server for eDirectory and select a different port. For more information, see “Verifying That the LDAP Server is Running” in the NetIQ eDirectory 8.8 SP8 Administration Guide.
When Active Directory is running and clear-text port 389 open, you can run the ICE command to port 389 and ask for the vendor version. The report displays Microsoft*. You then reconfigure the NetIQ LDAP server by selecting another port, so that the eDirectory LDAP server can service LDAP requests.
iMonitor can also report whether port 389 or 636 is already open. If the LDAP server is not working, use iMonitor to identify details. For more information, see “Verifying That the LDAP Server is Running” in the NetIQ eDirectory 8.8 SP8 Administration Guide.