Administrator Documentation

Using publicly certified and accessible LDAP servers

To enable a simple and secure configuration when using the D2L Lightweight Directory Access Protocol (LDAP) Authentication method, your LDAP server should be publicly accessible and have an SSL certificate installed. Using a certificate generated by a Public Certificate Authority means you are not required to coordinate with D2L to renew certificates, as we maintain a store of public root certificates to validate SSL connections.

Note: As of December 31, 2020, for new implementations and certificate renewals, D2L will no longer accept or store self-signed certificates or communication over insecure ports.

To ensure your LDAP server is available and secure, you must do the following:

Create a public DNS record for the LDAP server Hostname.
Obtain a publicly-signed certificate from a Certificate Authority and install it on the LDAP server.
Note: The certificate must include the hostname of the LDAP server in the SAN (Subject Alternative Name), which takes precedence over the Subject/CN and allows for specifying multiple host names.
Encypt transmission via LDAPS over a secure port or via StartTLS over an insecure port.

For further details on LDAP Configs, see the LDAP Integration - Best Practices article on Brightspace Community.

For further details on supported Certificate Authorities, refer to the Microsoft Trusted Root Program – List of Participants article.