So, same as in TDI, I would recommend using 636 only (or with variable). The import of the TLS cert should only happen when port 636 or ldap_tls_enable=true is set.
You see, the setup is only possible if both protocols are enabled, but the only unecrypted connection is used.
Hi, I tried to install a system with an already installed LDAP server (Domino, Active Directory) on 389 only and then 636 only.
The TDI installation uses a Jinja2 template for profiles_tdi.properties https://github.com/HCL-TECH-SOFTWARE/connections-automation/blob/6284e97dc630da1d84ba873d066be366655e8694/roles/third_party/ibm/tdi-install/templates/profiles_tdi.properties.j2#L19 which has no option for LDAPS.
Here it needs 3 steps:
LDAP without SSL is not possible in production environments.
Was ND deployment makes it weird.
The LDAP server is added without SSL and port 389 here: https://github.com/HCL-TECH-SOFTWARE/connections-automation/blob/6284e97dc630da1d84ba873d066be366655e8694/roles/third_party/ibm/wasnd/was-dmgr-config-ldap/templates/was_config_ldap.py.j2#L4
But here https://github.com/HCL-TECH-SOFTWARE/connections-automation/blob/6284e97dc630da1d84ba873d066be366655e8694/roles/third_party/ibm/wasnd/was-dmgr-import-tls-cert/templates/was_import_tls_cert.py.j2#L2 the LDAPS root certificate is imported.
So, same as in TDI, I would recommend using 636 only (or with variable). The import of the TLS cert should only happen when port 636 or ldap_tls_enable=true is set.
You see, the setup is only possible if both protocols are enabled, but the only unecrypted connection is used.