[Date Prev][Date Next] [Chronological] [Thread] [Top]

Confused about SSL,TLS,SASL

I'm trying to integrate LDAP into a small set of servers and I'm getting confused about the various encryption and authentication pieces.

Here's my server:
	Red Hat 7.1
        OpenLDAP 2.0.7             (stock RPM install)
	auth_ldap 1.4.7-2          (ditto)
	nss_ldap 149-4             (ditto)
	openssl 0.9.5a             (ditto)
	cyrus-sasl 1.5.24-17       (ditto)

I want my Solaris 8 and Red Hat 7.1 servers to authenticate (Unix passwd and Apache user) against it. No immediate plans to use it for address books or Netscape profiles. I seem to have it working over port 636 using SSL with my Linux machines.

My goal is to have SSL encrypting the wire between the client machines and the LDAP server. Then to have the client machines use a password to bind to the server.

1) Is there a difference between SSL and TLS transport encryption setup? Is there a difference between using -h ldaps:// (port 636) or talking to the default ldap part and it using the start_tls functions to switch to SSL?

2) I have one book on LDAP that says SSL and TLS are equivalent (interchangeable) and I've read something on the web that says SSL LDAP encryption is non-standard I should use TLS. If my ldap.conf file says "ssl yes" am I ever using TLS?

3) I can't figure out what SASL is used for. Is it just used for authenticating the client to the server? Is it only used as a wrapper around some non-standard or in-house authenticating system? Do I need it?