[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: difference between ldaps and startTLS



Lise Didillon writes:

> Could you explain me the difference between ldaps and TLS over 389, I never 
> really understand it.

ldaps came first, because it's simpler.

If I understand correctly, ldaps is the ldap protocol running inside the
SSL protocol.  SSL is a wrapper protocol which can be run 'on top of'
another protocol to make it safe.  So you initiate an SSL connection,
and inside that you set up an LDAP 'connection'.

On the other hand, the newer startTLS is built into the LDAP protocol
itself.  You start a normal LDAP session, and then send the startTLS
request which initiates the TLS layer.

Other than that, the TLS and SSL protocols are very similar.

> An other problem is if I run slapd only with ldaps I'm sure that
> nobody can access to the slapd server without SSL.
> It's not the case if I use the extended operation startTLS.

True, though I suspect it's the other way around in practice: A library
which implements TLS is likely to implement SSL as well, since they are
so similar.  OTOH, if you have have an old LDAP implementation which
does not implement TLS, you could still run it inside SSL if you have
that.

I imagine the advantages of TLS over SSL is that TLS is better
integrated with LDAP, and that it doesn't take up another port.

-- 
Hallvard