Share via

Unable to bind with Active Directory LDAP using non-SSL port 389

Steward, Michael Steward (External - MWResource ) 0 Reputation points
2025-07-18T17:32:00.3833333+00:00

I'm trying to test an LDAP bind ID using ldapsearch (from a Red Hat server) to Active Directory LDAP on a group of domain controllers and am getting this error:

ldap_bind: Strong(er) authentication required (8)

additional info: 00002028: LdapErr: DSID-0C0903B6, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563

Here's my ldapsearch (sanitized of company info):

ldapsearch -d 1 -x -W -H ldap://domain.com -D"******@domain.com" -b"DC=domain,DC=com" mail=<somename>@company.com

Everything I read points to a GPO setting which looks like it should work from the Group Policy Management Editor:
User's image

But on the Local Group Policy Editor it shows:
User's image

And it's not editable:
User's image

This probably a rookie question and, well, I'm a rookie to GPOs so...Thanks in advance.

Windows for business | Windows Server | Directory services | Active Directory
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Chen Tran 4,705 Reputation points Independent Advisor
    2025-07-21T15:05:17.9766667+00:00

    Hello Steward,

    Thank you for posting question on Microsoft Windows Forum!

    Based on the provided error message, It is probably of that Active Directory requires LDAP connections to use signing (integrity checking) or encryption (SSL/TLS) for security, and your ldapsearch command uses plaintext LDAP -H ldap://domain.com with (no encryption/signing) and the AD rejects this because the GPO mandates security.

    You can try the following syntax for ldapsearch by using LDAPS or StartTLS.

    1.Switch to LDAPS:

    • Change your URI to ldaps:// (port 636) to enforce encryption:
    • ldapsearch -x -W -H ldaps://domain.com -D "@domain.com" -b "DC=domain,DC=com" "mail=@company.com"
    • You might need to ensure that the domain controller's SSL certificate is trusted by the Red Hat server. If not, you can use -ZZ (for StartTLS) and trust the server's certificate or add it to the trust store.

    2.Alternatively Using StartTLS:

    • ldapsearch -x -W -H ldap://domain.com -D "@domain.com" -b "DC=domain,DC=com" -ZZ "mail=@company.com"
    • The -ZZ option tells ldapsearch to use StartTLS.

    3.Issues relating to Certificate Trust:

    • If you encounter certificate trust issues, you can either:
    1. Add the AD domain controller's CA certificate to the trust store on the Red Hat server.
    2. Use ldapsearch with the -o option to ignore certificate checks (not recommended for production) but for testing purpose.
    • ldapsearch -x -W -H ldap://domain.com -D "****@domain.com" -b "DC=domain,DC=com" -ZZ -o tls_peer_certificate=ignore mail=<somename>@company.com**
    • Or ldapsearch -x -W -H ldaps://domain.com -D "****@domain.com" -b "DC=domain,DC=com" -o tls_peer_certificate=ignore mail=<somename>@company.com**

    Please note : The GPO setting policy Domain controller: LDAP server signing requirements = Require signing applied at the domain-level in Group Policy Management Editor overrides local policy.

    You can refer to the following article for more information about LDAP Signing.

    Hope the above information is helpful!

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.