[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Should slurpd also support LDAPS without start_tls?



Hi,

I've submitted a patch (as suggested) to support an LDAP URI specification
for the replica host in slapd.conf.

As well as "replica host=slave.example.com:389" Alternatives like "replica
uri=ldap://slave.example.com:389"; or "replica
uri=ldaps://slave.example.com:636" can also be specified in which case
slurpd passes the URI to ldap_initialize() just like with the -H option to
ldapmodify (as distinct from -Z). This means not relying on start_tls to do
ldap over ssl to directories that don't support start_tls.

host= is deprecated in favor of uri=.

It certainly gets around the problem of replicating password changes with
LDAP over SSL to MS W2K ActiveDirectory using a transformed replog.

Changes are in slurpd, slapd and slapd.conf man pages. I'll submit a patch
to the Admin Guide real soon now.

Mark Benson



                                                                                                                               
                    "Kurt D. Zeilenga"                                                                                         
                    <Kurt@OpenLDAP.org>               To:     Mark.Benson@propero.net                                          
                    Sent by:                          cc:     openldap-software@OpenLDAP.org                                   
                    owner-openldap-software@Op        Subject:     Re: Should slurpd also support LDAPS without start_tls?     
                    enLDAP.org                                                                                                 
                                                                                                                               
                                                                                                                               
                    10/06/2003 16:55                                                                                           
                                                                                                                               
                                                                                                                               




At 08:26 AM 6/10/2003, Mark.Benson@propero.net wrote:
>Maybe the replica bit of slapd.conf should have a "ssl=yes" option as an
>alternative to "tls=yes" in which case it would do an ldaps:// style bind.
>I've made this mod in slurpd to test it out. The changes are very small.

Please note that the "s" in ldaps:// does not stand for SSL nor
does it necessarily imply use of SSL.  ldaps:// is commonly used
to negotiate TLS over TCP at session start.  StartTLS does generally
imply TLS, but most implementations also support fallback to SSL if
needed.

The "tls=" option implies Start TLS.  It likely should be renamed
to "starttls=" (as previously suggested).

To add ldaps:// support (for TLS and SSL), it would be better to
do this via addition of a URI parameter that deprecated the
HOST parameter.

Patches welcomed.

Kurt