I'm wanting to setup secure LDAP authentication with an external service provider. The end user currently uses unsecured LDAP to the service provider. The service provider admits they way it had been originally implemented exposes credentials via packet capture.
I've reviewed: https://support.microsoft.com/en-us/help/321051/how-to-enable-ldap-over-ssl-with-a-third-party-certification-authority
Their local domain is a *.local. The product manufacturer requires an SSL certificate that is signed by a valid certificate authority. This is good. I can create an SSL cert for the domain, but it won't match that the Directory Service has.
I'm not sure exactly how the external auth is presented to the LDAP server, if it's just passing the user name with domain name appended or if it verifies the LDAP server first.
Questions - Do I need to rename the domain to match? Would adding a UPN suffix allow for a work-around?
Edit: External access through the Internet is required, thus the desire to secure LDAP.
Update text for clarity
Put a TLS proxy in between (for example HAProxy in TCP mode) and publish it with a proper DNS name (for example ldap.mycompany.com) and certificate.
Backend LDAP traffic can still be plaintext or use internal name (.local) with self-signed or internal CA certificate.