LDAP over SSL (aka "ldaps://") is the older protocol and may be deprecated
someday. It works by creating a SSL tunnel (usually on port 636) and running a
normal clear text LDAP session through the encrypting tunnel. This is the same
process as HTTP over SSL (aka "https://"), so if it's good enough for your
credit card data, it's good enough for your user credentials.
LDAP with TLS is a function completely internal to the LDAP server and LDAP
client. What happens is a normal clear text LDAP session is created, Usually
over port 389. Then before any data is transferred, the client sends a command
that says, "Lets talk secure" (aka "StartTLS"). Assuming the server supports
TLS, the two machines will swap certs and do the little TLS dance to jointly
arrive at an encryption process they both support. All of this happens over
the normal port 389.
One method is just as secure as the other. There is no security difference.
|