[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: TLS and security of LDAP transmissions

At 02:54 PM 4/23/01, Howard Chu wrote:
>By default, LDAP transactions are transmitted in clear text.
>If you use LDAP over SSL (usually denoted by the nonstandardized
>"ldaps://foo.bar" URL) then the entire session is protected by SSL.
>If you use LDAPv3 and the StartTLS option on a regular LDAP connection,
>the connection is initiated in the clear, and TLS is activated
>once the StartTLS option has been recognized.
>All of this is completely independent of Kerberos and SASL.

BTW, certain SASL mechanisms, such as GSSAPI (KerberosV)
and DIGEST-MD5,  provide integrity and confidential security
layers.  DIGEST-MD5 is LDAPv3's mandatory-to-implement strong
authentication mechanism [RFC2829].