[Date Prev][Date Next]
On Wednesday 16 October 2002 12:11, you wrote:
> So ldaps:// (using port 636) is deprecated and shouldn't be used anymore
> correct ? The new way is to go with TLS which will anyway run via ldap://
> (port 389) ?
LDAPS never was part of the official LDAP standard, while startTLS is
a part of the official LDAPv3 standard.
So the support for LDAPS may someday go away from OpenLDAP,
while the support for start_tls will stay longer.
So, it's up to you to decide.
Technically LDAPS opens an encrypted connection and then does LDAP over it.
> I am also asking this because I've setted up my OpenLDAP with the
> TLSCertificates paramters, then did an ldapsearch using -ZZ and was
> surprised to see that it still used the port 389 for encrypted sessions and
> unencrypted sessions...
> Is that normal ?
start_tls converts an already open unencrypted LDAP connection into a
encrypted connection. So the port stays the same, since the connection
is the same, only the transferred data change ,-)))
> Also is there a way to dissallow unencrypted sessions, allowing only
> encrypted sessions using TLS ?
Look for security and/or ssf in slapd.conf(5)
Peter Marschall | eMail: firstname.lastname@example.org
Scheffelstraße 15 | email@example.com
97072 Würzburg | Tel: 0931/14721
PGP: D7 FF 20 FE E6 6B 31 74 D1 10 88 E0 3C FE 28 35