You can configure the following levels of LDAP security:
Level 1 LDAP security: Secure LDAP with encryption and server authentication
Level 1 LDAP security uses TLS to encrypt network traffic. Using TLS mitigates snooping and tampering threats.
During a call to the LDAP server, the LDAP server provides a server certificate that proves its identity to PowerExchange. Providing a server certificate mitigates the threat of server spoofing.
For the client to be able to verify the server certificate, a suitable entry must be configured in the truststore on the PowerExchange Listener machine. This entry must provide a chain of trust that enables PowerExchange to verify the trustworthiness of the LDAP server.
Level 2 LDAP security: Secure LDAP with encryption and server and client authentication
Level 2 LDAP security provides the same protections as Level 1 and also provides client authentication.
During a call to the LDAP server, PowerExchange provides a client certificate that proves its identity to the LDAP server. Providing a client certificate mitigates the threat of client spoofing.
For the LDAP server to be able to verify the client certificate, a suitable entry must be configured in the LDAP server truststore. This entry must provide a chain of trust that enables the LDAP server to verify the trustworthiness of the client.
Level 3 LDAP security: Secure LDAP with SASL EXTERNAL authentication
Level 3 LDAP security provides the same protections as Level 2 and also uses the SASL EXTERNAL mechanism.
If you do not use the SASL EXTERNAL mechanism, you must provide search user credentials by defining the LDAP_BIND_DN statement and either the LDAP_BIND_PWD or LDAP_BIND_EPWD statement in the DBMOVER configuration file. Level 3 LDAP security eliminates the need to define these statements.
This configuration requires a special certificate-mapping configuration on the LDAP server so that information from the PowerExchange client certificate can be used to identify the search user in LDAP.