[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap-ssl trouble .....

To: Kaufmann Lionel <wayne-cci@noos.fr>
Subject: Re: ldap-ssl trouble .....
From: "Carl J Meyer" <carljm@goshen.edu>
Date: Thu, 14 Feb 2002 11:17:42 -0500 (EST)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <00c101c1b56a$13a62160$fc00a8c0@sunny.intrasun.fr>

Lionel,

I'm no expert, but from packet-sniffing my LDAP connections it appears
that StartTLS is issued before binding (which is what I would expect, or
else TLS would be mostly pointless), so you don't need
to worry about passwords in the clear using StartTLS.

It's just too bad that there's no stable PHP release with ldap_start_tls
yet, so we're stuck using ldaps:// until the we get the next release...

Carl

On Thu, 14 Feb 2002, Kaufmann Lionel wrote:

> Thanks a lot for you explanation Mister Chu !!
> Some light in the darkness....
> 
> So there is two way to work with TLS / SSL
> 
> 1)  Normal connection on port 389 ( or an another you can specify when
> lounching the server and in the client, that was my mistake :-/ )  and then
> turn TLS/SSL with the start TLS request  ( -Z option )!
> In this way you don't need to run ldaps://
> 
> I verified it : only lounch the normal server ( and retired the port number
> 636 in my ldap.conf  sigh' ) #>ldapsearch -x -Z -b o=societe.fr sn=Wayne
> works better ( i still have an error but it's with the certificate,  i will
> work on it a little bit more to find how to correct....)
> 
> But with this way the identification / connexion is established in clear....
> 
> 2) Full secured communication ( connection && data ) with the ldaps://
> server on port 636 where SSL take  !
> 
> This is the way i would prefer because password would be crypted....
> 
> This is not standard ?
> Can I use ldapsearch to communicate with such a server ? If yes, how ?
> 
> Thanks for every help...
> Best reguards
> 
> ----- Original Message -----
> From: "Howard Chu" <hyc@highlandsun.com>
> To: "Kaufmann Lionel" <wayne-cci@noos.fr>; <openldap-software@OpenLDAP.org>
> Sent: Thursday, February 14, 2002 1:52 PM
> Subject: RE: ldap-ssl trouble .....
> 
> 
> > Port 636 is used for LDAP on SSL. This means that SSL is part of the
> > connection from the very beginning. This is the way SSL was used with
> > LDAPv2, but is not
> > part of any documented standard. The "-Z" option to ldapsearch uses the
> > Start TLS request which is defined in LDAPv3. This assumes a connection
> that
> > was created in the clear, and which then has TLS/SSL activated on it in
> > response to this Start TLS request.
> >
> > By setting up your ldap.conf in this manner you're trying to initiate a
> > clear text connection on a port that is expecting SSL, which obviously
> > doesn't work. If you're going to use Start TLS you don't need to use port
> > 636 at all. If you want to use port 636, you cannot use Start TLS on that
> > port because TLS will already be active before any LDAP requests can be
> > processed.
> >
> >   -- Howard Chu
> >   Chief Architect, Symas Corp.       Director, Highland Sun
> >   http://www.symas.com               http://highlandsun.com/hyc
> >   Symas: Premier OpenSource Development and Support
> >
> 
>

Follow-Ups:
- Re: ldap-ssl trouble .....
  - From: Ignacio Coupeau <icoupeau@unav.es>
- RE: ldap-ssl trouble .....
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- Re: ldap-ssl trouble .....
  - From: "Kaufmann Lionel" <wayne-cci@noos.fr>

Prev by Date: Re: ldap && /etc/pam.d/system-auth
Next by Date: Re: ldap-ssl trouble .....
Index(es):
- Chronological
- Thread