[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Should slurpd also support LDAPS without start_tls?
Hi,
I've submitted a patch (as suggested) to support an LDAP URI specification
for the replica host in slapd.conf.
As well as "replica host=slave.example.com:389" Alternatives like "replica
uri=ldap://slave.example.com:389" or "replica
uri=ldaps://slave.example.com:636" can also be specified in which case
slurpd passes the URI to ldap_initialize() just like with the -H option to
ldapmodify (as distinct from -Z). This means not relying on start_tls to do
ldap over ssl to directories that don't support start_tls.
host= is deprecated in favor of uri=.
It certainly gets around the problem of replicating password changes with
LDAP over SSL to MS W2K ActiveDirectory using a transformed replog.
Changes are in slurpd, slapd and slapd.conf man pages. I'll submit a patch
to the Admin Guide real soon now.
Mark Benson
"Kurt D. Zeilenga"
<Kurt@OpenLDAP.org> To: Mark.Benson@propero.net
Sent by: cc: openldap-software@OpenLDAP.org
owner-openldap-software@Op Subject: Re: Should slurpd also support LDAPS without start_tls?
enLDAP.org
10/06/2003 16:55
At 08:26 AM 6/10/2003, Mark.Benson@propero.net wrote:
>Maybe the replica bit of slapd.conf should have a "ssl=yes" option as an
>alternative to "tls=yes" in which case it would do an ldaps:// style bind.
>I've made this mod in slurpd to test it out. The changes are very small.
Please note that the "s" in ldaps:// does not stand for SSL nor
does it necessarily imply use of SSL. ldaps:// is commonly used
to negotiate TLS over TCP at session start. StartTLS does generally
imply TLS, but most implementations also support fallback to SSL if
needed.
The "tls=" option implies Start TLS. It likely should be renamed
to "starttls=" (as previously suggested).
To add ldaps:// support (for TLS and SSL), it would be better to
do this via addition of a URI parameter that deprecated the
HOST parameter.
Patches welcomed.
Kurt