[Date Prev][Date Next]
Should slurpd also support LDAPS without start_tls?
Am I correct in thinking that OpenLDAP slurpd relies on the LDAP V3
start_tls extended operation to perform LDAP/SSL and can't use the ldaps://
mechanisms supported by ldapsearch, ldapmodify etc.?
I'm having trouble using slurpd to replicate to an Active Directory Server
(based on a transformed changelog). I think it's because AD with W2K
doesn't support start_tls. (It certainly doesn't list the start_tls
supported extension 22.214.171.124.4.1.1466.20037, and I can't get start_tls
working even from ldapsearch).
If I've understood this correctly, what I'm wondering is if ldaps:// type
support for LDAP/SSL on port 636 should be added to slurpd so that it can
deal with other LDAP directories that don't support start_tls.
If ldapsearch, ldapmodify supports both start_tls (-Z option) and LDAP/SSL
(-H ldaps:// option) mechanisms then why not slurpd?
I need to use LDAP/SSL because certain operations such as AD password reset
must be over LDAP/SSL on port 636 and won't work with LDAP on 389. I'd
like to use start_tls because it's standard, but I can't with AD.
Maybe the replica bit of slapd.conf should have a "ssl=yes" option as an
alternative to "tls=yes" in which case it would do an ldaps:// style bind.
I've made this mod in slurpd to test it out. The changes are very small.