Installation guide
58 NetIQ eDirectory 8.8 SP8 Installation Guide
The Require TLS for Simple Bind with Password discourages users from sending observable passwords.
If this setting is disabled (that is, not checked), users are unaware that others can observe their
passwords. This option, which does not allow the connection, only applies to the clear-text port.
If you make a secure connection to port 636 and have a simple bind, the connection is already
encrypted. No one can view passwords, data packets, or bind requests.
Port 636, the Industry-Standard Secure Port
The connection through port 636 is encrypted. TLS (formerly SSL) manages the encryption. By
default, the eDirectory installation selects this port.
A connection to port 636 automatically instantiates a handshake. If the handshake fails, the
connection is denied.
IMPORTANT: This default selection might cause a problem for your LDAP server. If a service
already loaded on the host server (before eDirectory was installed) uses port 636, you must specify
another port.
Installations earlier than eDirectory 8.7 treated this conflict as a fatal error and unloaded
nldap.nlm
.
The eDirectory 8.7.3 onwards installation loads
nldap.nlm
, places an error message in the
dstrace.log
file, and runs without the secure port.
Scenario: Port 636 Is Already Used: Your server is running Active Directory. Active Directory is
running an LDAP program, which uses port 636. You install eDirectory. The installation program
detects that port 636 is already used and doesn't assign a port number for the NetIQ LDAP server.
The LDAP server loads and appears to run. However, because the LDAP server does not duplicate or
use a port that is already open, the LDAP server does not service requests on any duplicated port.
If you are not certain that port 389 or 636 is assigned to the NetIQ LDAP server, run the ICE utility. If
the Vendor Version field does not specify NetIQ, you must reconfigure LDAP Server for eDirectory
and select a different port. For more information, see “Verifying That the LDAP Server Is Running” in
the NetIQ eDirectory 8.8 SP8 Administration Guide.
Scenario: Active Directory Is Running: Active Directory is running. Clear-text port 389 is open. You
run the
ICE
command to port 389 and ask for the vendor version. The report displays
Microsoft*
.
You then reconfigure the NetIQ LDAP server by selecting another port, so that the eDirectory LDAP
server can service LDAP requests.
NetIQ iMonitor can also report that port 389 or 636 is already open. If the LDAP server isn't working,
use NetIQ iMonitor to identify details. For more information, see “Verifying That the LDAP Server Is
Running” in the NetIQ eDirectory 8.8 SP8 Administration Guide.
3.6.4 Installing NMAS Server Software
NetIQ Modular Authentication Service (NMAS) server components are installed automatically when
you run the eDirectory installation program. You will need to select the login methods you want to
install.
Select the login methods that you want to install into eDirectory by checking the appropriate check
boxes. When you select a login method, a description of the component appears in the Description
box. For more information on login methods, see “Managing Login and Post-Login Methods and
Sequences” (https://www.netiq.com/documentation/edir88/nmas88/data/bookinfo.html) in the NetIQ
Modular Authentication Services 3.3 Administration Guide.