Re: How to only accept TLS connection on port 389

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 09:51 PM 1/21/2007, S Kalyanasundaram wrote:
>> While ldap:// uses 389 by default and ldaps:// uses 636 by default,
>> one can actually use ldap:// or ldaps:// on any port.  
>
>So the port is independent of the connection type?

Yes, ldap://server:636 and ldaps://server:389 are syntactically
valid URLs.  Of course, they are only valid in use if the server
was actually and quite oddly configured to accept ldap:// on 636
and ldaps:// on 389.

>The clear text authentication and as well as secured connection can be made on both the ports (389,636) ?

Given the above, and oddly configured clients (and possibly servers),
asking about what ports support is confusing.

The point I was trying to make is that configuring a
client to use port 636 doesn't necessarily cause it to
use ldaps:// instead.

>Then what for the port is being used?

Ports, and host addresses, are used to distingusih endpoints in a
TCP steam.  That is, server:389 and server:636 are different
endpoints.  Neither server:389 nor server:636 indicate which
protocol (or protocol variant) is to be used (or is used).

>I assumed 389 is clear text and 636 is encrypted(ssl/tls) one. 

389 is the default port for ldap://.
636 is the default port for ldaps://.

However, assuming all communication is on default ports
is, well, a bad assumption.  This thread started with
what appears to be a client using ldap:// on 636, like:
if the following had been done:
        ldapsearch -H ldap://server:636

-- Kurt