#Windows AD account still using LDAP instead of LDAPS to authenticate against Domain Controller.

Hi all,

For security reasons, I have been requested to use LDAPS instead of LDAP to authenticate when logging on StorageGRID.
Then, on the primary admin node in " Configuration " ---> " Identity Federation ", I modified the port used so far (389 ---> 636), set TLS to use LDAPS and use our own custom CA certificate.
It works fine, however, our Windows admin told me that the account used to authenticate against DC is still using LDAP... But this time, a network analysis showed that it is coming from storage nodes, and not the primary admin node...
As far as I know, all authentications to storage nodes are made via local users (SANtricity System Manager, SSH).
I had a look at the configuration and did not found where this Windows domain account could be used elsewhere, any idea ?

Thanks.

Authentication in StorageGRID is handled by the IDNT service that runs on the storage nodes with the "ADC" service, typically the 3 first storage nodes in each site.

So even for the LDAP connection you define in the GUI on the PA , the actual connection is done on the storage nodes. The PA never connects directly to LDAP.

If you select "Use LDAPS" and you test and save the connections, I don't see how requests could still happen with LDAP/389.