[Date Prev][Date Next] [Chronological] [Thread] [Top]

New problem is ports I think

OK, I think I have some of my SSL woes fixed now. As it turns out few of my problems were actually SSL problems rather they were with Directory Adminstrator's poor management of group and uid numbers. That and there was a bug in either /etc/pam.d/passwd or /etc/pam.d/system-auth. I replaced both and a problem or two went away.

Anyway the new problem is ports I think.

My ldap server is configured to use port 389 for both encrypted and unencrypted traffic.
Is there a way to split the encrypted traffic off to port 636?

The OpenLDAP FAQ-O-MATIC had this to say on the subject:

   Start TLS [RFC 2830] is LDAPv3's mechanism for enabling TLS (SSL)
   data confidentiality protection. The mechanism uses an extended
   operation to coordinate the starting of TLS. While the mechanism is
   designed for use with TLSv1, most implementations will fallback to
   SSLv2 (and SSLv1) if necessary.

   ldaps:// is a mechanism for coordinating use of SSL (TLS) with LDAP.
   It requires use of special port, commonly 636, to coordinate
   starting of SSL. Though originally designed for use with LDAPv2 and
   SSLv2, many implementations support its use with LDAPv3 and TLSv1.

   ldaps:// is deprecated in favor of Start TLS [RFC2830]. OpenLDAP 2.0
   supports both.

So the implication is that there might be a way to do it but that there soon wont be. pGINA, as far as I can tell will not use the same port for both encrypted and unencrypted communications. Right now the Windows ldp utility connects and binds on port 389... I think it may even be encrypted though since the utility reports the collection of base RSA information. This and the Linux clients connect just fine with StartTLS enabled.