Network security: LDAP client signing requirements
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Network security: LDAP client signing requirements
Description
This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows:
None: The LDAP BIND request is issued with the options that are specified by the caller.
Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller.
Require signature: This is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInprogress response does not indicate that LDAP traffic signing is required, the caller is told that the LDAP BIND command request failed.
Caution
- If you set the server to Require signature, you must also set the client. Not setting the client results in a loss of connection with the server.
Note
- This setting does not have any impact on ldap_simple_bind or ldap_simple_bind_s. No Microsoft LDAP clients that are shipped with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to talk to a domain controller.
Default: Negotiate signing.
Configuring this security setting
You can configure this security setting by opening the appropriate policy and expanding the console tree as such: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
For specific instructions about how to configure security policy settings, see Edit security settings on a Group Policy object.
For more information, see: