Disable Simple LDAP¶

Final step is to disable simple LDAP on domain controller and require LDAP server signing. The steps are described in the following Microsoft article https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/enable-ldap-signing-in-windows-server

You would need to use Group Policy to enable LDAP signing, navigate to Default Domain Controller Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies, then select Security Options.

../../../_images/default_domain_controllers_policy.png

Right-click Domain controller: LDAP server signing requirements, select Properties and configure the LDAP server signing requirements as shown on the following screenshot.

../../../_images/enable_ldap_signing.png

Click OK and reboot your domain controller to take effect.

From now on any attemp to bind to LDAP server using simple LDAP will fail with the following error ( Strong(er) authentication required ).

../../../_images/ldap_test_connection_failure2.png

ERROR: Connection to 1st LDAP server failed: cannot bind to LDAP host with user
name 'squid@example.lan', error 8, error_str Strong(er) authentication required