LDAPS for Active Directory Connectors: Secure by Default

November 12, 2025 · GrantFlow Team

GrantFlow Active Directory agents now connect to domain controllers over LDAPS — the encrypted, certificate-authenticated form of LDAP — using the certificate store already present on the agent host.

The problem

Unencrypted LDAP exposes directory queries and authentication traffic on the wire. Switching to LDAPS has historically meant configuring each connecting system individually and ensuring the right CA certificates are trusted. For organizations with internal or private CAs, that trust is already established on domain-joined servers — but it hadn't been consistently used by the GrantFlow agent.

What's new

The GrantFlow AD agent now establishes LDAPS connections to domain controllers and validates server certificates against the OS certificate store on the agent host. No separate certificate distribution or configuration in the GrantFlow portal is needed.

For most environments this means LDAPS works out of the box:

  • Domain-joined agent hosts already trust the internal CA through Group Policy certificate distribution
  • Custom or private CAs are supported by installing the root and intermediate certificates into the Windows certificate store (or the system trust store on Linux) on the agent host using your standard IT processes
  • Public CA-issued domain controller certificates are trusted automatically

How to verify

Once your agent is running on a host that trusts your domain controller's CA, LDAPS is used automatically. You can confirm the connection type in the agent logs, where successful LDAPS connections are recorded alongside the domain controller address and port (636).

If the agent can't establish a trusted LDAPS connection, it logs a clear error referencing the certificate validation failure so you know exactly which certificate in the chain is missing or expired.

See the AD Connector Network guide and AD Connector Permissions guide for the full prerequisites.

Why this matters

Using the OS certificate store keeps certificate trust management where it already lives — in your existing PKI and Group Policy infrastructure — rather than duplicating it in a separate system. Administrators use the same certificate deployment processes they already know, and the agent benefits from any CA certificate rotations automatically once the host trust store is updated.

What's next

We're working on surfacing the active LDAPS connection status and certificate details for each connector directly in the GrantFlow admin portal, so you can verify trust without inspecting agent logs.