[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: difference between ldaps and startTLS

thank you very much. It seems very much clear now.
But how can i restrict slapd to accept only SSL connections when using startTLS?

Lise Didillon

At 03:09 06/05/03 -0700, Howard Chu wrote:

X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
In-Reply-To: <HBF.20030506kfl@bombur.uio.no>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Hallvard B
> Furuseth

> Lise Didillon writes:
> > Could you explain me the difference between ldaps and TLS
> over 389, I never
> > really understand it.
> ldaps came first, because it's simpler.
> If I understand correctly, ldaps is the ldap protocol running inside the
> SSL protocol.  SSL is a wrapper protocol which can be run 'on top of'
> another protocol to make it safe.  So you initiate an SSL connection,
> and inside that you set up an LDAP 'connection'.
> On the other hand, the newer startTLS is built into the LDAP protocol
> itself.  You start a normal LDAP session, and then send the startTLS
> request which initiates the TLS layer.


> Other than that, the TLS and SSL protocols are very similar.

This sentence is a non-sequitur. Don't confuse the session setup mechanism
with the security protocol. TLS and SSL are, for all practical purposes,
completely interchangeable. But whether TLS is similar to or different from
SSL is completely orthogonal to how StartTLS relates to ldaps.

> > An other problem is if I run slapd only with ldaps I'm sure that
> > nobody can access to the slapd server without SSL.
> > It's not the case if I use the extended operation startTLS.
> True, though I suspect it's the other way around in practice: A library
> which implements TLS is likely to implement SSL as well, since they are
> so similar.  OTOH, if you have have an old LDAP implementation which
> does not implement TLS, you could still run it inside SSL if you have
> that.
> I imagine the advantages of TLS over SSL is that TLS is better
> integrated with LDAP, and that it doesn't take up another port.


The OpenLDAP library doesn't implement either SSL or TLS. That's what we use
the OpenSSL library for. The OpenLDAP library *does* implement ldaps and
StartTLS. On either type of session you may wind up negotiating the use of

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support