[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS or plain?

* Bennett, Tony - CNF (Bennett.Tony@cnf.com) wrote:
> It is my understanding that when a client connects
> to a server using ldaps://.... instead of ldap://...
> then a TLS session is first negotiated with the server,
> then the client uses whatever "method" is specified...

This isn't really accurate.  ldaps is for SSL sessions.  TLS is used on
the regular ldap:// port and is a way to 'upgrade' a connection to

> i.e. it could use authentication... "simple", "sasl", "Kerberos", etc.

Yes, this is correct, TLS/SSL are transport-level in general.  You can
use TLS and SASL/External to use TLS for authentication too but you
don't have to.

> There isn't a "tls-simple" authentication method.

Not sure what you mean here.  You could certainly use TLS or SSL and
simple authentication if you want.  I've been doing it all day today
testing some things out. :)

> I've used ldapsearch on an AIX system to connect to 
> Active Directory LDAP server on a Windows System using a
> "ldaps://..." URI to identify Active Directory, and 
> specified "-x" to use simple authentication
> instead of SASL.
> I no longer have a TLS enabled ActiveDirectory domain,
> but here's a trace of an attempt to run ldapsearch against

If you're using ldaps it's going to try and do a SSL connection, yes.


Attachment: pgpmGj0RmbIVl.pgp
Description: PGP signature