Configuring LDAP Over SSL (LDAPS)

Using LDAPS to secure a sync source connection (LDAP over SSL)

LDAP is a great method of connecting PaperCut to your directory services, however, LDAP is not encrypted by default. Standard LDAP leaves some important information exposed to prying eyes. Fortunately, securing your LDAP connection to avoid this issue is super easy!

The process of configuring PaperCut to use Secure LDAP (LDAPS) can be broken into two parts. First, setting up the directory server to support LDAPS, and second, configuring PaperCut to use the new secure connection.

Setting up LDAPS on the directory server

Installing a certificate onto the directory host is the first step in securing your directory connection. You can either self-sign the certificate or use one issued from a CA. You can follow our recommendations for Installing an SSL Certificate the Easy Way (through step 6), or alternatively, your LDAP provider may offer a good option for generating a certificate natively.

Depending on how your LDAP Service is configured, you may need to take some extra steps to prepare for the secure connection.

• Microsoft has a good article on how to configure their Active Directory Lightweight Directory Services (LDS) for SSL here
• If you’re using an OpenLDAP, you can read about their configuration demands here
• Apache DS also has a helpful tutorial for their product here
• Other open-source variants likely have their own instructions published, so if you don’t use a provider that was mentioned here, you might just need to do a little digging for the specific steps for your system.

Note: The above resources contain instructions for both generating a KeyStore and importing a KeyStore. If you want to use our instructions for KeyStore Explorer (linked above), you can skip the generation steps and go straight to importing- just use the KeyStore from our instructions.

Once your LDAP server is configured and an SSL certificate is installed, you can configure PaperCut to use SSL for its directory communications.

Configuring PaperCut to use Secure LDAP

1. Ensure that Port 636 is open for communication between the two servers
2. Head to your PaperCut admin interface and log in as an administrator.
3. Click on “Options” followed by “User/Group Sync”
4. Under the options to configure your primary or secondary sync source, you should see a small checkbox titled “Use SSL” - check that option
5. Click “Apply”
6. Done!

Still have questions?

Let us know! We love chatting about what’s going on under the hood. Feel free to leave a comment below or visit our Support Portal for further assistance.