[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: RFC2255 - LDAP URL Format question...

To: ietf-ldapext@netscape.com
Subject: RE: RFC2255 - LDAP URL Format question...
From: Andrew Probert <Andrew.Probert@rotek.com.au>
Date: Wed, 01 Sep 1999 15:05:34 +1000
Resent-date: Tue, 31 Aug 1999 22:08:01 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"NTiwgC.A.FbD.qSLz3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

In an NT world, you can actually configure multiple IP addresses for a
single card and 
thereby use well known ports for each process e.g.

ldaps://server1a.myorg.com
ldaps://server1b.myorg.com

Where they are both on the same box!

By the way is there a well-known port for LDAPS ?

Andrew Probert
Rotek Consulting   http://www.rotek.com.au
a Division of Secure Network Solutions http://SecureNet.com.au
Tel  +61 3 9690 8877
Mobile +61 409 413 028
Fax +61 3 9690 8171

-----Original Message-----
From: dboreham@netscape.com [mailto:dboreham@netscape.com]
Sent: Wednesday, September 01, 1999 3:00 PM
To: Ed Reed; ietf-ldapext@netscape.com
Subject: Re: RFC2255 - LDAP URL Format question...

Ed Reed wrote:

> ..How does one indicate, in an LDAP URL, whether LDAP over SSL is to be
used to contact an LDAP server at the ip address and socket specified in the
LDAP url?
>
> Seems like there needs to be another scheme defined...
>
> Yes, if the well known sockets are being used, then calling out the socket
number in the URL might let you know whether SSL is to be used, or not.
>
> But if there are multiple DSAs operating on the same TCP/IP stack, they
can't all use the well known SSL LDAP socket, and so we need some way to
specify, in the URL, to talk to this host on this socket using SSL.  At
least until the last SSL LDAP server is retired (;-)
>
> Have you already addressed this somewhere you can point me, or is this a
new "opportunity" to revise 2255 before progression to standard?  I'd also
note that the reference 2255 makes to RFC 1738 is obsoleted, now, by
RFC2396.

This is roughly how the Netscape implementation works:

The client SDK recognizes "ldaps" urls as meaning LDAP over SSL.
A port number, if present, is used otherwise the default SSL port
number is used.

The server, when returning a referral to a client, re-writes the referral
URL on the fly to the "ldaps" form, if the client itself connected via SSL.

The case where non-default SSL ports are employed is not handled
elegantly. (manual configuration of ldaps referrals with port numbers
would be required).

Prev by Date: Re: RFC2255 - LDAP URL Format question...
Next by Date: Re: RFC2255 - LDAP URL Format question...
Index(es):
- Chronological
- Thread