[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldaps://

To: marc.bigler@day.com
Subject: Re: ldaps://
From: Peter Marschall <peter.marschall@mayn.de>
Date: Thu, 17 Oct 2002 11:31:53 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <OFA288F3AC.B92F414F-ONC1256C54.0037AC52@day.com>
Organization: MPN
References: <OFA288F3AC.B92F414F-ONC1256C54.0037AC52@day.com>

Hi,

On Wednesday 16 October 2002 12:11, you wrote:
> So ldaps:// (using port 636) is deprecated and shouldn't be used anymore
> correct ? The new way is to go with TLS which will anyway run via ldap://
> (port 389) ?
LDAPS never was part of the official LDAP standard, while startTLS is 
a part of the official LDAPv3 standard.
So the support for LDAPS may someday go away from OpenLDAP,
while the support for start_tls will stay longer.
So, it's up to you to decide.

Technically LDAPS opens an encrypted connection and then does LDAP over it.

> I am also asking this because I've setted up my OpenLDAP with the
> TLSCertificates paramters, then did an ldapsearch using -ZZ and was
> surprised to see that it still used the port 389 for encrypted sessions and
> unencrypted sessions...
> Is that normal ?
Yes !
start_tls converts an already open unencrypted LDAP connection into a 
encrypted connection. So the port stays the same, since the connection
is the same, only the transferred data change ,-)))

> Also is there a way to dissallow unencrypted sessions, allowing only
> encrypted sessions using TLS ?
Look for security and/or ssf in slapd.conf(5)

CU
Peter
-- 
Peter Marschall     |   eMail: peter.marschall@mayn.de
Scheffelstraße 15   |          peter.marschall@is-energy.de
97072 Würzburg      |   Tel:   0931/14721
PGP:  D7 FF 20 FE E6 6B 31 74  D1 10 88 E0 3C FE 28 35

References:
- ldaps://
  - From: marc.bigler@day.com

Prev by Date: Re: revisiting openldap as auth server
Next by Date: Help me:Rename DN with childrens in PHP.
Index(es):
- Chronological
- Thread