[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openLDAP: LDAP and LDAP over TLS support at same time

--On Sunday, March 25, 2018 5:29 PM +0530 GOKUL G <g.gokul1991@gmail.com> wrote: 


ISSUE:
We are able to integrate openLDAP with our application and achieve LDAP
or LDAP/TLS requirement separately.
Since, the support for TLS in openLDAP is macro controlled (HAVE_TLS), at
compile time itself its decided whether LDAP or LDAPs . And we are not
able to take this decision at run-time.
If we compile openLDAP software with HAVE_TLS and use it for normal
ldapsearch, this ldap command is seen in trace as ldap message over SSL
without any encryption. But not as normal LDAP message.
You appear to be misunderstanding something if you believe you require two different library builds. Clearly all of the existing C based clients can do plaintext (ldap) with a library where TLS support is enabled (note: NOT required).
I would also note there is much more to TLS encryption with LDAP than you've noted.
There are two methods of doing TLS encryption. One uses the RFC STARTTLS method, the other uses a TLS dedicated port (defaults to 443) using the non-RFC ldaps URI. 

So, an LDAP client can connect in the following methods:

a) plain text (ldap:/// or ldapi:///)
b) issuing a startTLS operation (ldap:/// or ldapi:///)
c) dedicated TLS port (ldaps:///)
I would note that it is entirely possible, with a well written application, to support all of the above with the OpenLDAP C API compiled with HAVE_TLS. If you are unable to do this, you're misusing the API and/or do not understand the API. Generally, your client simply needs to know: 

Should the connection be encrypted?
 No? ->
   Use ldap:/// without the startTLS control
 Yes? ->
   Do they want to use ldaps or startTLS?
       startTLS -> Use ldap with the startTLS control
       use ldaps

--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>