LDAPS questions

I am using an Openfire 3.5.2 server on CentOS 5 which is connected to Active Directory (2003 domain). I understand that without LDAPs enabled, Openfire will make clear text authentication exchanges with AD. Obviously, this is not a good thing. I know that our Windows, Linux, and MacOS clients use Kerberos as a secure authentication method with AD. Since this is the case, we don’t currently have LDAPS enabled on our domain controllers. That being said, here are my questions:

1.) Is it possible to make Kerberized authentication requests from Openfire to Active Directory (SSO is not really needed, though)?

2.) If there is no way to do #1, is using LDAPS the only way to secure authentication requests?

3.) If #3 is the case, and we do have to enable LDAPS on our domain controllers and have a signed (or self-signed) SSL CA certificate, is there anything we’ll have to do on our Windows and other kerberized Linux/MacOS clients to be able to have them continue to authenticate with AD (such as distributing the SSL cert via Group Policy or other means), or will they simply continue to use Kerberos for authentication.

I apologize if these questions have been answered elsewhere or if it sounds elementary. I’m just trying to wrap my head around the totality of what would be needed to get this working correctly.


I believe kerberos/sso will be the only other way to get a secure connection without using ldaps. I don’t think enabling ssl on your dc’s will have any other affect on your clients. we recently enabled it and it had no adverse affect and everyone continued as normal.