To enable LDAP over SSL (LDAPS) all you need to do is "install" an SSL certificate on the Active Directory server. Most enterprises will opt to purchase an SSL certificate from a 3rd Party like Verisign. In my case, I created my own certificate using OpenSSL. Here are the steps I used to secure my Active Directory server using a self signed certificate.windows security ldap certificates
This document provides background on what LDAP authentication is, what specific LDAP authentication methods and mechanisms Active Directory and more specifically the NETID domain supports, and finally gives some guidance on which method and mechanism you should use.windows security ldap
Today, many applications and devices connect to Active Directory over LDAP. Many of those are still performing insecure LDAP “simple binds” where credentials are transferred in clear text over the network. Those exposed credentials typically include the “service account” used to connect to LDAP, but also include the user credentials used during the application login.
Also note that the terms “LDAP over SSL” and “LDAP over TLS” are used interchangeably. By default, LDAP communications between client and server applications are not encrypted. This is especially problematic when an LDAP simple bind is used.windows security ldap
The core of the issue is this, when an application performs a simple LDAP bind, the username and password is transmitted in clear text in the very first packet. The DC doesn't even have a chance to prevent this exposure from occurring. If this connection is not encrypted at a lower layer such as TLS or IPSec, it may be intercepted and a bad day may soon follow.windows active directory security ldap