Re: SSL/TLS connection on port 389

[Quanah Gibson-Mount <quanah@zimbra.com>]

--On Monday, January 28, 2008 5:10 PM +0000 Chris Carr 
<chris.carr@camden.gov.uk> wrote:

> On Mon, 2008-01-28 at 09:00 -0800, Quanah Gibson-Mount wrote:
> > --On Monday, January 28, 2008 2:57 PM +0000 Chris Carr
> >
> > > Hi All,
> > >
> > > I've been running slapd with "-h ldaps:///" so that it takes SSL/TLS
> > > connections on port 636. This has worked with most clients (Outlook,
> > > Seamonkey, Thunderbird) but does not work for Evolution. I don't know
> > > why not, but Evolution seems to insist on using port 389 for secure
> > > connections.
> > >
> > > When I type
> > >
> > > openssl s_client -connect my.server.com:389
> >
> > If you read the documentation on openssl, it clearly states it doesn't
> > support doing LDAP startTLS over port 389.
>
> I thought startTLS was supposed to be the replacement for ldaps, so that
> only one port was needed for both secure and insecure connections.
> Wasn't that discussed on this list quite recently? I have definitely
> misunderstood something.

You are correct, startTLS is the replacement for LDAPS.  My point is, if 
you read the documentation about the "openssl s_client" command, the 
openssl folks have yet to add support for LDAP startTLS to it.  Which is 
why using that command in your case for testing it is pointless.

As for the debian 2.4.7 package, there's a bug already tracking this issue. 
I'm not clear if it is a GnuTLS bug or an OpenLDAP bug or both.  I don't 
use OpenLDAP with GnuTLS myself. ;)

--Quanah



--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration