* Michael Str?der (michael@stroeder.com) wrote: > Stephen Frost wrote: > >* Bennett, Tony - CNF (Bennett.Tony@cnf.com) wrote: > > > >>It is my understanding that when a client connects > >>to a server using ldaps://.... instead of ldap://... > >>then a TLS session is first negotiated with the server, > >>then the client uses whatever "method" is specified... > > > >This isn't really accurate. ldaps is for SSL sessions. TLS is used on > >the regular ldap:// port and is a way to 'upgrade' a connection to > >encrypted. > > *Your* explanation isn't really accurate. Sure it is, it just isn't as verbose. > You probably are talking about LDAP on top of SSL/TLS layer (out-of-band > encryption tunnel usually on separate port) vs. using StartTLS extended > operation in an existing LDAPv3 connection (negotiating encryption tunnel > in-band). That would be ldaps:// vs. ldap:// with TLS, as I said above, yes. > TLSv1 is the sucessor of SSLv3 standardized by the IETF (SSL was a > proprietary protocol developed by Netscape) and it has nothing to do with > LDAP in the first place. If you use ldaps:// depending on the client and > server configuration you can either use SSL or TLS. My experience with using ldaps:// has been that it's expecting an SSL connection as opposted to a regular connection which then moves to TLS. Certainly depending on the client and server configuration you can use either SSL or TLS on port 1234, if you'd prefer. Stephen
Attachment:
pgpteSydlSQh4.pgp
Description: PGP signature