How to perform hardening on your Nodinite LDAP Web API

Protect your integration environment and ensure compliance by hardening your Nodinite LDAP Web API installation. This guide shows you how to enforce HTTPS, manage certificates, and restrict access for maximum security.

✅ Enforce HTTPS for all LDAP Web API traffic
✅ Secure and manage SSL/TLS certificates for compliance
✅ Restrict access by IP and protect Swagger endpoints
✅ Meet enterprise security policies and best practices

Important

Always use a certificate to enable the HTTPS protocol for secure communication.

Do use HTTPS

You should always use server-based certificates to enforce the HTTPS protocol and protect the privacy and integrity of data sent between the Client/Consumer and the LDAP Web API.

If you have a DNS/Alias name for your certificate, you can create a dedicated IIS website with HTTPS binding. Self-signed certificates work for development, but we strongly recommend valid certificates from a trusted Certificate Authority for production environments.

Screenshot: Add a secure website in IIS for the Nodinite LDAP Web API.

1. Select HTTPS and port 443
2. Enter your DNS name (must match your SSL certificate)
3. Select the certificate to use from the dropdown

Require SSL

By default, IIS applications do not require SSL.

Screenshot: Default SSL setting in IIS - not required.

You should enable the Require SSL option. To do so, first install a valid certificate (see Install certificate section below).

Screenshot: SSL required setting enabled in IIS.

To enable SSL requirement in IIS:

1. Select your LDAP Web API application in IIS Manager
2. Double-click SSL Settings
3. Check the Require SSL checkbox
4. Click Apply in the Actions pane

Install certificate

Internet Information Services (IIS) Server Certificate Installation Instructions

Certificate Installation Steps

1. Ensure static IP or DNS
   Make sure the IIS server hosting the LDAP Web API has a static IP address. Dynamic assignment of IP addresses requires a dynamic DNS solution.

2. Create DNS record
   Create a DNS record (A or CNAME) pointing to the LDAP Web API server.

3. Obtain a valid certificate
   Create or obtain a valid certificate. Note: SHA1-based certificates are deprecated (see SHA1 Deprecation Guide).

   • Option A: Reuse certificates from existing company policies or internal Certificate Authority
   • Option B: Issue and manage a free certificate using Let's Encrypt. For IIS, you can use Certify SSL Manager for automated certificate management.
   • Option C: For development only, create a self-signed certificate:

   New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My"
   

   Note

   Self-signed certificates must be added to the Trusted Root Certification Authorities store (local computer) and need periodic renewal.

4. Install the certificate in IIS
   Follow Microsoft's guide: How to Set Up SSL on IIS

5. Redirect HTTP to HTTPS (optional)
   Redirect incoming HTTP calls to HTTPS. This requires the URL Rewrite Module 2.1 for IIS.

Example: URL Rewrite Rule for HTTPS Redirect

Add this to your web.config file in the LDAP Web API application root:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="Redirect to HTTPS" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="^OFF$" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

Note

This redirect rule automatically forwards all HTTP traffic to HTTPS, ensuring encrypted communication.

Restrict users by IP

The LDAP Web API does not use authentication by default, so you may need to restrict access by TCP/IP range or specific IP addresses.

Microsoft provides detailed instructions for configuring IIS to restrict access by IP Address. Review the user guide: IIS 8.0 Dynamic IP Address Restrictions

Steps to Configure IP Restrictions

1. Open IIS Manager
2. Select your LDAP Web API application
3. Double-click IP Address and Domain Restrictions
4. In the Actions pane, click Add Allow Entry... or Add Deny Entry...
5. Specify:
   • Specific IP address (e.g., 192.168.1.100)
   • IP address range (e.g., 192.168.1.0/24)
   • Domain name (requires reverse DNS lookup)

Tip

Use a "deny by default, allow specific IPs" approach for maximum security. Add a Deny entry for all unspecified clients, then explicitly allow only your integration servers.

Swagger

The LDAP Web API supports Swagger for API documentation and testing. You can access it by adding /swagger to the base URL.

Important

Only developers and authorized personnel should access the Swagger endpoint. Consider restricting access using IP restrictions or removing the Swagger endpoint in production environments.

Access Swagger at: https://yourdomain.com/LDAPAdapter/swagger/ (replace with your actual URL)

Screenshot: Secure access to Swagger documentation for the Nodinite LDAP Web API.

Disable Swagger in Production (Optional)

For production environments, you may want to disable Swagger entirely. This can be configured in the application's startup configuration or web.config file by removing or commenting out the Swagger middleware registration.

---

Next Step

• Review the LDAP Web API Overview for feature details
• Configure LDAP Web API connection settings
• Set up Monitoring for the LDAP Web API

Related Topics

• LDAP Web API Installation
• Core Services Hardening Guide
• Monitoring LDAP Web API