[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TSL / SSL



Ah, that makes perfect sense.  So the only thing that is deprecated is the use of a seperate port for SSL encryption.  Is this only the case in 2.1, or does it apply to 2.0 as well.  And if I wanted to restrict access to encrypted traffic only, would the following lines I stole from a post by Kurt Zeilenga do the trick in 2.0?
   access to *
       by ssf=128 self write
       by ssf=64 anonymous auth
       by ssf=64 users read
Thanks,
Jason

-----Original Message-----
From: Howard Chu [mailto:hyc@highlandsun.com]
Sent: Sunday, June 16, 2002 6:03 PM
To: Jason Corley; Kurt D. Zeilenga; openldap-software@OpenLDAP.org
Subject: RE: TSL / SSL


> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Jason Corley

> I'm a little confused by the word "deprecated" here in reference
> to ldaps.  I thought ldaps was ssl encrypted openldap traffic?  I
> guess I'm not understanding what the proper way to configure
> openldap and/or initiate encrypted traffic is based on this
> statement.  Pointers to documentation more than welcome.

The practice of using ldaps, i.e. LDAP on SSL, arose with LDAPv2. It was
never formally documented as a standard. A listener port that is configured
for ldaps can only accept SSL connections, not cleartext connections.

The LDAPv3 standard defined a new LDAP request called StartTLS that can
be sent after a connection is established. So a single cleartext listener
port can be used to handle both cleartext sessions and TLS-encrypted
sessions. This approach is more flexible, as it doesn't require a
dedicated listener port for encrypted sessions.

Once the encrypted session has been established, there's no difference
between
the two methods.

> -----Original Message-----
> From:	Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> Sent:	Sat 6/15/2002 9:33 PM
> To:	Benoit LEROYER
> Cc:	Informations; openldap-software@OpenLDAP.org
> Subject:	Re: TSL / SSL
> At 10:07 AM 2002-06-14, Benoit LEROYER wrote:
> >What is the difference between starttls et ldaps ?
>
> Start TLS (RFC 2830) is the standard track mechanism,
> an LDAP operation, used in to establish TLS.
>
> ldaps:// is a deprecated, non-standard track mechanism
> for establishing TLS based upon mutually agreed upon
> TCP service ports.
>
> OpenLDAP supports both mechanisms.
>
> Kurt
>
>
>
>
> >Kurt D. Zeilenga wrote:
> >
> >>At 09:46 AM 2002-06-14, Informations wrote:
> >>
> >>>if i use only ldaps protocol (openldap compiled with openssl)
> with crypt Userpassword,  is-it secure ?
> >>>if not what is the better solution ?
> >>Better, as in stronger?  The strongest authentication
> >>mechanism supported by OpenLDAP is StartTLS+SASL/EXTERNAL.
> >>
> >
> >
> >--
> >------------------------------------------
> >Benoit LEROYER - G.I.D.E (benoit@gide.net)
> >Tél : 02.40.89.92.87
> >Web : http://www.gide.net
> >------------------------------------------
>
>
>