[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RFC2255 - LDAP URL Format question...

To: Ed Reed <ed_reed@novell.com>
Subject: Re: RFC2255 - LDAP URL Format question...
From: RL 'Bob' Morgan <rlmorgan@cac.washington.edu>
Date: Wed, 01 Sep 1999 07:11:48 +0000 ( )
Cc: howes@netscape.com, mcs@netscape.com, ietf-ldapext@netscape.com
In-reply-to: <s7cc2d24.024@prv-mail20.provo.novell.com>
Resent-date: Wed, 01 Sep 1999 00:11:43 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"djzKo.A.ThG.oGNz3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

> ..How does one indicate, in an LDAP URL, whether LDAP over SSL is to
> be used to contact an LDAP server at the ip address and socket
> specified in the LDAP url?
> 
> Seems like there needs to be another scheme defined...

Mark's response explains this well, though I might rather say that the use
of TLS is something about which the client and server can negotiate, among
many other things they can negotiate.  Ed, if your server wants to enforce
the use of TLS on connections made to it, then it merely has to be
configured to do so; and it can be made to do this without anyone having
to change the ldap:// URLs that may already be printed on the side of city
buses.  Moreover, a client can choose to use TLS protection, or Kerberos
or Digest protection, when making a URL-initiated LDAP connection,
whenever it wants to (assuming server agreement); unlike say with http://,
which tells the client *not* to use TLS.  You might want to look at
draft-ietf-tls-http-upgrade-02.txt, which proposes a way of getting even
http out of the https: tarpit.

 - RL "Bob"

Follow-Ups:
- Re: RFC2255 - LDAP URL Format question...
  - From: dboreham@netscape.com (David Boreham)

Next by Date: Re: RFC2255 - LDAP URL Format question...
Index(es):
- Chronological
- Thread