Hello Everyone. I am sending this message as I am a little doubtful about a situation I have.
I need a better understanding of the requirements for LDAPS communication on Anyconnect VPN authorization checks for 9.14 release codebases and above on the ASA platform. During prior upgrades, we have hit a number of cross-incompatibilities with different components of the ASA system, most recently with enforcement of secure communication in a stricter manner post upgrading the codebase.
A rollback was performed, but based on the issue presentation, I wanted to ensure the certificate for import to establish a trust relationship was correctly understood. Is it the case that for LDAPS to function for Authorization WITH secure enforcement on, we simply need to import the Intermediate (or other components of chain) certificate which signed the certificate of the endpoint we are attempting to connect to, similar to a trustpoint for the frontend communication with VPN clients? Otherwise, would there be any other requirements to ensure LDAPS protocol is able to adequately fetch the authorization information from the directory server?
This was where we were curious if the 9.12 hotfixed code would behave the same way as the earlier 9.12 version we are on now, as this has a desireable behavior to run encrypted LDAP, but without hard enforcement of the trusted state of the server certificate (which does not persist when stepping to 9.14 - changed to hard enforcement). Otherwise, on 9.14 (including the .23 revision), I was curious if there was a way to run a non-validated LDAPS communication in the same manner, or if a plaintext scenario might still be safe, given it is internal only traffic on the customer environment