[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ldap-ssl trouble .....

To: "Carl J Meyer" <carljm@goshen.edu>, "Kaufmann Lionel" <wayne-cci@noos.fr>
Subject: RE: ldap-ssl trouble .....
From: "Howard Chu" <hyc@highlandsun.com>
Date: Thu, 14 Feb 2002 08:42:54 -0800
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <Pine.LNX.4.44.0202141051280.29181-100000@mennonet1.goshen.edu>

That's right. Of course the StartTLS request can be sent any time but
there's not much point in doing it late. The standard client tools will
send it as the first request.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Carl J Meyer

> Lionel,
>
> I'm no expert, but from packet-sniffing my LDAP connections it appears
> that StartTLS is issued before binding (which is what I would expect, or
> else TLS would be mostly pointless), so you don't need
> to worry about passwords in the clear using StartTLS.
>
> It's just too bad that there's no stable PHP release with ldap_start_tls
> yet, so we're stuck using ldaps:// until the we get the next release...
>
> Carl
>
> On Thu, 14 Feb 2002, Kaufmann Lionel wrote:
>
> > Thanks a lot for you explanation Mister Chu !!
> > Some light in the darkness....
> >
> > So there is two way to work with TLS / SSL
> >
> > 1)  Normal connection on port 389 ( or an another you can specify when
> > lounching the server and in the client, that was my mistake :-/
> )  and then
> > turn TLS/SSL with the start TLS request  ( -Z option )!
> > In this way you don't need to run ldaps://
> >
> > I verified it : only lounch the normal server ( and retired the
> port number
> > 636 in my ldap.conf  sigh' ) #>ldapsearch -x -Z -b o=societe.fr sn=Wayne
> > works better ( i still have an error but it's with the
> certificate,  i will
> > work on it a little bit more to find how to correct....)
> >
> > But with this way the identification / connexion is established
> in clear....
> >
> > 2) Full secured communication ( connection && data ) with the ldaps://
> > server on port 636 where SSL take  !
> >
> > This is the way i would prefer because password would be crypted....
> >
> > This is not standard ?
> > Can I use ldapsearch to communicate with such a server ? If yes, how ?
> >
> > Thanks for every help...
> > Best reguards

References:
- Re: ldap-ssl trouble .....
  - From: "Carl J Meyer" <carljm@goshen.edu>

Prev by Date: Re: ldap-ssl trouble .....
Next by Date: Bad search filter
Index(es):
- Chronological
- Thread