Using publicly certified and accessible LDAP servers

To enable a simple and secure configuration when using the D2L Lightweight Directory Access Protocol (LDAP) Authentication method, your LDAP server should be publicly accessible and have an SSL certificate installed. Using a certificate generated by a Public Certificate Authority means you are not required to coordinate with D2L to renew certificates, as we maintain a store of public root certificates to validate SSL connections.

Note: As of June 2020, for new implementations and certificate renewals, D2L will no longer accept or store self-signed certificates or communication over insecure ports.

To ensure your LDAP server is available and secure, you must do the following:

  • Create a public DNS record for the LDAP server Hostname.
  • Obtain a publicly-signed certificate from a Certificate Authority and install it on the LDAP server.
    Note: The certificate must include the hostname of the LDAP server in the SAN (Subject Alternative Name), which takes precedence over the Subject/CN and allows for specifying multiple host names.
  • Enable transmission on a secure port via LDAPS over port 636 (DC) or port 3269 (GC), where the connection is considered to be immediately secured by the certificate.

For further details on supported Certificate Authorities, refer to the Microsoft Trusted Root Program – List of Participants article.