[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldaps://


On Wednesday 16 October 2002 12:11, you wrote:
> So ldaps:// (using port 636) is deprecated and shouldn't be used anymore
> correct ? The new way is to go with TLS which will anyway run via ldap://
> (port 389) ?
LDAPS never was part of the official LDAP standard, while startTLS is 
a part of the official LDAPv3 standard.
So the support for LDAPS may someday go away from OpenLDAP,
while the support for start_tls will stay longer.
So, it's up to you to decide.

Technically LDAPS opens an encrypted connection and then does LDAP over it.

> I am also asking this because I've setted up my OpenLDAP with the
> TLSCertificates paramters, then did an ldapsearch using -ZZ and was
> surprised to see that it still used the port 389 for encrypted sessions and
> unencrypted sessions...
> Is that normal ?
Yes !
start_tls converts an already open unencrypted LDAP connection into a 
encrypted connection. So the port stays the same, since the connection
is the same, only the transferred data change ,-)))

> Also is there a way to dissallow unencrypted sessions, allowing only
> encrypted sessions using TLS ?
Look for security and/or ssf in slapd.conf(5)

Peter Marschall     |   eMail: peter.marschall@mayn.de
Scheffelstraße 15   |          peter.marschall@is-energy.de
97072 Würzburg      |   Tel:   0931/14721
PGP:  D7 FF 20 FE E6 6B 31 74  D1 10 88 E0 3C FE 28 35