[Date Prev][Date Next]
Re: Turning off clear text - how 2 get tls only communications?
Jim C. wrote:
-----BEGIN PGP SIGNED MESSAGE-----
I'm doing something wrong here. My objective is to turn off clear text
ldap communications with remote clients and use only tls on a Linux
system that uses ldap auth. Clear text with clients located on the
server is OK.
Questions to be answered:
1. Is ldaps the same as tls? This is to say that if I set ssl start_tls
on the client, and set the ldap uris on slapd to "ldap://127.0.0.1/
ldaps:///" then in theory it *should* communicate ldaps on port 389 and
ldap on port 389 but only on the server. This does not seem to be the
case. What exactly should happen when I change the uri as mentioned?
"ssl start_tls" is not a configuration directive used by OpenLDAP, so
the question is outside the scope of this forum.
Looking at the slapd man pages under "-h", it says that the default port
for ldap is 389 and for ldaps it is 636, it doesn't mention that using
"ldap:/// ldaps:///" causes it to talk ldap and tls on 389. Does it
then also talk on port 636?
ldap:/// opens a plaintext listener on port 389. ldaps:/// opens an SSL
listener on port 636.
> What would be most useful is a short table
of client/server examples. What works, what doesn't and why. Heck, I'ld
even write it, if I knew more.
I'm sure this has been answered many times, but I haven't seen exactly
this question in the FAQ, so:
"SSL" and "TLS" are the names of two closely related network session
security protocols. Generally they are used interchangeably; TLS version
1.0 is essentially SSL version 3.1. The actual differences between TLS
and SSLv3 are trivial, but TLS is an IETF standard and SSL is not.
(SSL=Secure Sockets Layer, created by Netscape. TLS=Transport Layer
In LDAP URI's, the "ldap://" scheme is used to initiate a LDAP session
over a cleartext TCP connection. The "ldaps://" scheme is not part of
any standard, but is understood to mean an LDAP session initiated over
an SSL/TLS connection.
There is a separate LDAP Extended Operation known as "StartTLS" that can
be used to enable TLS on an already established LDAP session. People
frequently jumble all of these terms together and confuse themselves,
but the difference is really quite simple:
Both the ldap:// and ldaps:// schemes talk about establishing a
particular kind of *connection* and then running an LDAP session over
the new connection. The StartTLS operation takes an existing plaintext
LDAP session and activates SSL/TLS on the existing connection.
Ultimately the result is the same, but the steps to get there occur in
Note that the StartTLS operation only works on a plaintext session; if
your session already has SSL/TLS (because it was opened using ldaps://)
then the StartTLS request is rejected - you can't "start" something
that's already running.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support