(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) Trash : (Answer) What is the right way to secure LDAP communications
LDAP over SSL (aka "ldaps://") is the older protocol and may be deprecated someday. It works by creating a SSL tunnel (usually on port 636) and running a normal clear text LDAP session through the encrypting tunnel. This is the same process as HTTP over SSL (aka "https://"), so if it's good enough for your credit card data, it's good enough for your user credentials.
LDAP with TLS is a function completely internal to the LDAP server and LDAP client. What happens is a normal clear text LDAP session is created, Usually over port 389. Then before any data is transferred, the client sends a command that says, "Lets talk secure" (aka "StartTLS"). Assuming the server supports TLS, the two machines will swap certs and do the little TLS dance to jointly arrive at an encryption process they both support. All of this happens over the normal port 389.
One method is just as secure as the other. There is no security difference.
[Append to This Answer]
tom@doctorunix.com
Previous: (Answer) New Item
Next: (Answer) LDAP Exporter by Shaffin Bhanji
This document is: http://www.openldap.org/faq/index.cgi?file=1253
[Search] [Appearance]
This is a Faq-O-Matic 2.719.
© Copyright 2005, OpenLDAP Foundation, info@OpenLDAP.org