I'm working on disabling unsigned LDAP requests across my network and am considering setting my domain controllers to require it. I've already made some changes on a couple of workstations, but they're still sending unsigned LDAP requests. LDAPS is enabled and I can connect on port 636 without issues. I really want to avoid breaking any of the legacy devices in the process. If you've successfully navigated this before, could you share your strategy or any scripts you found helpful?
1 Answer
Remember, the requirement for LDAP signing only applies to your domain controllers, not to workstations. Your main problem might be applications utilizing port 389 for LDAP connections, especially common on Linux servers that aren't set up to use port 636. Check your Domain Controller logs to track down devices making unsigned LDAP requests and address those issues before enforcing the Require setting on your domain controllers.
Thanks for the insight! Most of the unsigned requests are coming from desktops and laptops, so I guess I need to focus on other device types.