[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: openLDAP: LDAP and LDAP over TLS support at same time
- To: Quanah Gibson-Mount <quanah@symas.com>
- Subject: Re: openLDAP: LDAP and LDAP over TLS support at same time
- From: Raf Czlonka <rczlonka@gmail.com>
- Date: Wed, 28 Mar 2018 21:29:12 +0100
- Cc: GOKUL G <g.gokul1991@gmail.com>, openldap-technical@openldap.org
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=QpaTfzdACFWAi5HyreLwTFhBXtedp/ROYGIjqANnkwE=; b=c/inWp/K6wkAgDcbP4HyWoDutZ8H7eQChAP/QIl4Lj3lLA0gLaw/XYDPyVnp+r9tX/ 3k6A2XY49lV19LzvSBMBuf6Jc2VZy5vwXUYYHS4/bb5lZFp7PYecDB/AKri67/YiUyf4 seGL1AslnvzRSkKO2G/OJYnw3MDJwkHjcZM/BAw54ebCkCPrn9H6dJizzQRNy+PfGL1l 5m4T8IbERYzf22bTf5CyqXaYzfAnSzihP0AG7sr54bSX/8020+clXJdhdkr2JnU/PzuG aZndTG1Kg5dv96gP3HflXkehQHzqgVE/AjxwdMui2FNxKQiNAo1M5xZpIxK8j/JZX+s5 pzEg==
- In-reply-to: <50602D64ACDDE077E9A5AA46@[192.168.1.10]>
- Mail-followup-to: Quanah Gibson-Mount <quanah@symas.com>, GOKUL G <g.gokul1991@gmail.com>, openldap-technical@openldap.org
- References: <CAK+T9MqZh=7hQbixa=hBt-L7gJq6XeWE1RNLGVA08nqzs0rVkg@mail.gmail.com> <50602D64ACDDE077E9A5AA46@[192.168.1.10]>
- User-agent: Mutt/1.9.4 (2018-02-28)
On Wed, Mar 28, 2018 at 09:15:51PM BST, Quanah Gibson-Mount wrote:
> --On Sunday, March 25, 2018 5:29 PM +0530 GOKUL G <g.gokul1991@gmail.com>
> wrote:
>
> > ISSUE:
> > We are able to integrate openLDAP with our application and achieve LDAP
> > or LDAP/TLS requirement separately.
> > Since, the support for TLS in openLDAP is macro controlled (HAVE_TLS), at
> > compile time itself its decided whether LDAP or LDAPs . And we are not
> > able to take this decision at run-time.
> > If we compile openLDAP software with HAVE_TLS and use it for normal
> > ldapsearch, this ldap command is seen in trace as ldap message over SSL
> > without any encryption. But not as normal LDAP message.
>
> You appear to be misunderstanding something if you believe you require two
> different library builds. Clearly all of the existing C based clients can
> do plaintext (ldap) with a library where TLS support is enabled (note: NOT
> required).
>
> I would also note there is much more to TLS encryption with LDAP than you've
> noted.
>
> There are two methods of doing TLS encryption. One uses the RFC STARTTLS
> method, the other uses a TLS dedicated port (defaults to 443) using the
^^^
Hi Quanah,
You obviously meant 636, right[0]?
[0] https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
Regards,
Raf
> non-RFC ldaps URI.
>
> So, an LDAP client can connect in the following methods:
>
> a) plain text (ldap:/// or ldapi:///)
> b) issuing a startTLS operation (ldap:/// or ldapi:///)
> c) dedicated TLS port (ldaps:///)
>
> I would note that it is entirely possible, with a well written application,
> to support all of the above with the OpenLDAP C API compiled with HAVE_TLS.
> If you are unable to do this, you're misusing the API and/or do not
> understand the API. Generally, your client simply needs to know:
>
> Should the connection be encrypted?
> No? ->
> Use ldap:/// without the startTLS control
> Yes? ->
> Do they want to use ldaps or startTLS?
> startTLS -> Use ldap with the startTLS control
> use ldaps
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
>