Enable LDAP over SSL

Applies to User Roles:

System Administrator

You must have the SysAdmin capability word to use the procedures below.

By default, when you enable LDAP over SSL, you need to set the root certificate of the CA that issued the LDAP server’s certificate on the Service Manager server, and then specify the location of the certificate file in the LDAP SSL DB Path field.

If you do not want to set the CA's root certificate on the Service Manager server, follow these steps:

  1. Set the ldapsslallownocert parameter to 1.
  2. Log in to Service Manager, and then click System Administration > Ongoing Maintenance > System > LDAP Mapping.
  3. Set the LDAP Server and LDAP Base Directory fields, select the LDAP SSL check box. Leave the LDAP SSL DB Path field blank. 
  4. Click Set File/Field level mapping, enter operator in the Name field, and then map the name field of operator to sAMAccountName (for Active Directory server).
  5. Restart the Service Manager server.

If you wish to authenticate Service Manager users that belong to different domains or subdomains, you can deploy multiple LDAP servers that belong to the corresponding domains, and then set up a horizontal scaled (HS) cluster. By the following configuration, users belong to different domains can share the same database while at the same time be authenticated by different domain’s LDAP server over SSL.

  1. Set the ldapsslallownocert parameter to 1.
  2. Log in to Service Manager, and then click System Administration > Ongoing Maintenance > System > LDAP Mapping. Leave everything on this page empty.
  3. Click Set File/Field Level Mapping, enter operator in the Name field, and then map the name field of operator to sAMAccountName.
  4. Add the ldapserver parameter in the sm.ini file as the following example:

    ldapserver1:16.183.93.217%636%cn=users,dc=swsm,dc=ind,dc=lab

    You can add this parameter multiple times if you have more than one LDAP server.

  5. Restart the Service Manager server.

Note In both cases above, you still need to set the ldapbinddn and ldapbindpass parameters in sm.ini.