1. Introduction: LDAP (Lightweight Directory Access Protocol) and LDAPS (LDAP over SSL) are protocols used for accessing and managing directory information services over an IP network. Both are commonly used in various applications and services, including the FortiGate suite of products.
   
   
2. Definitions:

• LDAP (Lightweight Directory Access Protocol):

  • A protocol used for querying and modifying items in directory service providers, such as Active Directory.
  • Operates by default over TCP/IP using port 389.

• LDAPS (LDAP over SSL):

  • An encrypted version of LDAP ensures data transferred between the client and server is secure.
  • Operates over port 636 by default.
• A mixture between both is STARTTLS.
  • It communicates over TCP port 389 and will ask for encryption (with a STARTTLS command). If the server supports it, the communication will be encrypted and if the server does not support encryption, then the communication will not be encrypted. In doubt, consult the server team, handling the LDAPS server.

3. Key Differences:

• Encryption: The most significant difference between LDAP and LDAPS is encryption. LDAPS encrypts the connection from the start, ensuring that all data (including credentials) exchanged between the client and server is encrypted. In contrast, LDAP transmits data in plain text, making it vulnerable to eavesdropping.

• Port Numbers: LDAP uses port 389 by default, whereas LDAPS uses port 636.

• Server Authentication: LDAPS allows the client to authenticate the server using SSL/TLS certificates. This ensures that clients connect to the legitimate server, protecting against man-in-the-middle attacks.

• Setup Complexity: LDAPS can be slightly more complex to set up due to the need for SSL/TLS certificates. However, this added complexity offers significant security advantages.
  
  

4. Which is Better?

   • From a security standpoint, LDAPS is superior because of its encryption, which protects against eavesdropping and potential data leaks. This encryption is especially vital when transmitting sensitive information, such as user credentials.

   • While LDAP might be simpler to implement, it is generally recommended to use LDAPS wherever possible, particularly in security-critical environments.
     
     

5. FortiGate's Perspective:

   • Integration: FortiGate integrates seamlessly with both LDAP and LDAPS for various services, including VPN authentication, user-group-based policies, etc.

   • Recommendation: Given the security benefits, FortiGate recommends using LDAPS, especially when sensitive operations, like password renewals or transmission of user credentials, are involved.

   • Configuration Flexibility: FortiGate provides configuration options to enable or disable features based on the chosen protocol. For instance, as discussed earlier, password renewal via FortiGate is available only with LDAPS due to security considerations.

   • The FortiGate requires the LDAP servers to issue certificates imported. Contact the team handling the domain controllers and/or Enterprise Root Certificate authority to provide the CA certificate (public key only) for the trust relationship. Import the certificate to the FortiGates certificate section. If there are intermediate CA certificates, they may also have to be imported to FortiGate if the LDAPS server is not sending them as part of the TLS handshake (Certificate chain must be completed).

6. Conclusion:

   While LDAP and LDAPS serve similar purposes, the encrypted nature of LDAPS makes it a preferable choice, especially in environments where data security and privacy are paramount. FortiGate, keeping in line with industry best practices, offers robust support and recommends LDAPS for secure operations.

   
   

Related articles:
Technical Tip: How to allow LDAP user to change password at first logon or renew expired password vi...
Technical Tip: How to allow an LDAP user to change password at first logon or renew an expired passw...