[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: multiple listener ports

As Julio pointed out, using TLS/SSL with SASL does not require
second port!  LDAP OVER SSL (LDAPv2 style ldaps) does.  Though
I am not sure of the need to support LDAP OVER SSL (give
TLS/SSL with SASL), adding such, I guess, is no big deal.

Long term, I actually would prefer we treat the "port"
directory as defining the "default" port for listening
but actually use "host" to define the bind() arguments.

port 389		# default LDAP port
sslport 636		# default LDAP over SSL port
host ldap:/// \	# listen on LDAP port in LDAP mode
	ldaps:///	# listen on LDAPS port in LDAP over SSL mode

would be the default and would setup two listeners.
One on 389 for LDAP (including SASL/TLS/SSL) and one
on 636 for LDAP over SSL.

However, one could:

host	ldap://ext-ip/ ldaps://ext-ip/ \
	ldap://int-ip/ ldaps://int-ip/

To setup four listeners, two in ldap mode and two in ldaps mode,
on four ip/port pairs.  The general directive syntax would be:

host	ldap{s}://host:port/ ...

Implementing the necessary infrastructure changes to support
multiple listeners would be relatively straight forward.
Then, of course, we should extend ACLs to support access controls
based up local socket address and mode.  This, too, would
be rather straight forward.