FAQs: Secure LDAP service

This feature is available with Cloud Identity Premium edition. Compare editions 

What happens if I suspend the Cloud Identity or Google Workspace user account?

The Secure LDAP service uses Cloud Directory as the basis for authentication, authorization, and directory lookups. Suspended accounts cannot sign in to any applications related to Cloud Identity/Google Workspace, including LDAP applications. While suspended accounts won't be able to verify their passwords with LDAP, they can still be looked up by a client service with an LDAP search.

What happens if I configure a third-party identity provider / SSO provider in Google Workspace or Cloud Identity?

There’s no impact on using Secure LDAP for authentication, authorization, and directory lookups, because third-party identity providers affect only HTTP-based transactions such as SAML-based authentication.

Note: If you want your users to be able to authenticate with Secure LDAP connected applications, make sure they know their Google user name and password, as these credentials (not their third-party identity provider credentials) are needed for authentication. Users cannot access Secure LDAP applications by signing in through a third-party IdP using SSO.

Why do I need both a certificate and access credentials to authenticate LDAP clients?

Only the certificate authenticates the LDAP client. The access credentials only exist if the client insists upon also sending a username and password. On their own, the access credentials don’t confer any access to the LDAP server or user data, but they should be kept secret to prevent them from being used to log in to certain LDAP clients.

In the case where an LDAP client requires access credentials, we authenticate LDAP clients with both certificates and access credentials.

If my LDAP application does not support TLS certificates, is there any alternative?

Yes. You may use stunnel as a proxy between your application and Secure LDAP. For details and instructions, see Use stunnel as a proxy.

I generated access credentials in the past and now I don't remember the password to set up another instance of my LDAP client. Can I generate another set of access credentials?

As an administrator, you may generate another set of access credentials, which will consist of a distinct username/password pair. You may keep a maximum of two credentials active simultaneously. If a credential is compromised or no longer in use, you may delete it.

If I suspect a security issue with an LDAP client, how can I immediately disable it?

If you suspect a security issue with an LDAP client (for example, if certificates or credentials are compromised), you can immediately disable the client by deleting all of the digital certificates associated with it. This is the best way to disable a client immediately, since it may take up to 24 hours for a client to be disabled after turning the service status to Off

For instructions, see Delete certificates.

At a later time, if you want to enable the client, you'll need to generate new certificates and upload the certificates to your LDAP client.

My Linux computers on Google Compute Engine do not have external IP addresses. Can I still connect to the Secure LDAP service?

Yes. If you are using the SSSD module on Linux computers without external IP addresses on Google Compute Engine, you can still connect to the Secure LDAP service as long as you have internal access to Google services enabled. Learn more on configuring private access. For details, see Configuring Private Google Access.

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu
Search Help Center