[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Turning off clear text - how 2 get tls only communications?

Jim C. wrote:

Hash: SHA1

I'm doing something wrong here.  My objective is to turn off clear text
ldap communications with remote clients and use only tls on a Linux
system that uses ldap auth. Clear text with clients located on the
server is OK.

Questions to be answered:

1. Is ldaps the same as tls?  This is to say that if I set ssl start_tls
on the client, and set the ldap uris on slapd to "ldap://
ldaps:///" then in theory it *should* communicate ldaps on port 389 and
ldap on port 389 but only on the server.  This does not seem to be the
case.  What exactly should happen when I change the uri as mentioned?

"ssl start_tls" is not a configuration directive used by OpenLDAP, so the question is outside the scope of this forum.

Looking at the slapd man pages under "-h", it says that the default port
for ldap is 389 and for ldaps it is 636, it doesn't mention that using
"ldap:/// ldaps:///" causes it to talk ldap and tls on 389.  Does it
then also talk on port 636?

ldap:/// opens a plaintext listener on port 389. ldaps:/// opens an SSL listener on port 636.

> What would be most useful is a short table
of client/server examples.  What works, what doesn't and why. Heck, I'ld
even write it, if I knew more.

I'm sure this has been answered many times, but I haven't seen exactly this question in the FAQ, so:

"SSL" and "TLS" are the names of two closely related network session security protocols. Generally they are used interchangeably; TLS version 1.0 is essentially SSL version 3.1. The actual differences between TLS and SSLv3 are trivial, but TLS is an IETF standard and SSL is not. (SSL=Secure Sockets Layer, created by Netscape. TLS=Transport Layer Security, RFC2246.)

In LDAP URI's, the "ldap://"; scheme is used to initiate a LDAP session over a cleartext TCP connection. The "ldaps://" scheme is not part of any standard, but is understood to mean an LDAP session initiated over an SSL/TLS connection.

There is a separate LDAP Extended Operation known as "StartTLS" that can be used to enable TLS on an already established LDAP session. People frequently jumble all of these terms together and confuse themselves, but the difference is really quite simple:

Both the ldap:// and ldaps:// schemes talk about establishing a particular kind of *connection* and then running an LDAP session over the new connection. The StartTLS operation takes an existing plaintext LDAP session and activates SSL/TLS on the existing connection. Ultimately the result is the same, but the steps to get there occur in opposite order.

Note that the StartTLS operation only works on a plaintext session; if your session already has SSL/TLS (because it was opened using ldaps://) then the StartTLS request is rejected - you can't "start" something that's already running.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support