--- title: LDAP access description: This page describes how to configure LDAP ports for DS servers. component: pingds version: 8.1 page_id: pingds:config-guide:ldap-access canonical_url: https://docs.pingidentity.com/pingds/8.1/config-guide/ldap-access.html revdate: 2025-10-22T14:42:39Z keywords: ["Features", "LDAP", "Setup & Configuration"] section_ids: configure-ldap-port: Set the LDAP port configure-starttls: Enable StartTLS setup-ldaps-port: Set the LDAPS port change-ssl-port: Set the LDAPS port --- # LDAP access This page describes how to configure LDAP ports for DS servers. Alternatively, you can configure unified connection handlers to process HTTP and LDAP on the same port. Learn more in [Administrative and unified access](admin-access.html). ## Set the LDAP port The reserved port number for LDAP is `389`. Most examples in the documentation use `1389`, which is accessible to non-privileged users: 1. The following example changes the LDAP port number to `11389`: ```console $ dsconfig \ set-connection-handler-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --handler-name LDAP \ --set listen-port:11389 \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt ``` 2. Restart the connection handler, and the change takes effect: ```console $ dsconfig \ set-connection-handler-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --handler-name LDAP \ --set enabled:false \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt $ dsconfig \ set-connection-handler-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --handler-name LDAP \ --set enabled:true \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt ``` ## Enable StartTLS StartTLS negotiations start on the unsecure LDAP port, and then protect communication with the client: 1. Activate StartTLS on the current LDAP port: ```console $ dsconfig \ set-connection-handler-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --handler-name LDAP \ --set allow-start-tls:true \ --set key-manager-provider:PKCS12 \ --set trust-manager-provider:"JVM Trust Manager" \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt ``` If the key manager provider has multiple key pairs that DS could use for TLS, where the secret key was generated with the same key algorithm, such as `EC` or `RSA`, you can specify which key pairs to use with the `--set ssl-cert-nickname:server-cert` option. The *server-cert* is the certificate alias of the key pair. This option is not necessary if there is only one server key pair, or if each secret key was generated with a different key algorithm. The change takes effect. No need to restart the server. ## Set the LDAPS port At setup time, use the `--ldapsPort` option. Later, follow these steps to set up an LDAPS port: 1. Configure the server to activate LDAPS access: ```console $ dsconfig \ set-connection-handler-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --handler-name LDAPS \ --set enabled:true \ --set listen-port:1636 \ --set use-ssl:true \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt ``` 2. If the deployment requires SSL client authentication, set the `ssl-client-auth-policy` and `trust-manager-provider` properties appropriately. ## Set the LDAPS port The reserved port number for LDAPS is `636`. Most examples in the documentation use `1636`, which is accessible to non-privileged users. 1. Change the port number using the `dsconfig` command. The following example changes the LDAPS port number to `11636`: ```console $ dsconfig \ set-connection-handler-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --handler-name LDAPS \ --set listen-port:11636 \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt ``` 2. Restart the connection handler so the change takes effect. To restart the connection handler, you disable it, then enable it again: ```console $ dsconfig \ set-connection-handler-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --handler-name LDAPS \ --set enabled:false \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt $ dsconfig \ set-connection-handler-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --handler-name LDAPS \ --set enabled:true \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt ```