[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: TSL / SSL
Ah, that makes perfect sense. So the only thing that is deprecated is the use of a seperate port for SSL encryption. Is this only the case in 2.1, or does it apply to 2.0 as well. And if I wanted to restrict access to encrypted traffic only, would the following lines I stole from a post by Kurt Zeilenga do the trick in 2.0?
access to *
by ssf=128 self write
by ssf=64 anonymous auth
by ssf=64 users read
Thanks,
Jason
-----Original Message-----
From: Howard Chu [mailto:hyc@highlandsun.com]
Sent: Sunday, June 16, 2002 6:03 PM
To: Jason Corley; Kurt D. Zeilenga; openldap-software@OpenLDAP.org
Subject: RE: TSL / SSL
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Jason Corley
> I'm a little confused by the word "deprecated" here in reference
> to ldaps. I thought ldaps was ssl encrypted openldap traffic? I
> guess I'm not understanding what the proper way to configure
> openldap and/or initiate encrypted traffic is based on this
> statement. Pointers to documentation more than welcome.
The practice of using ldaps, i.e. LDAP on SSL, arose with LDAPv2. It was
never formally documented as a standard. A listener port that is configured
for ldaps can only accept SSL connections, not cleartext connections.
The LDAPv3 standard defined a new LDAP request called StartTLS that can
be sent after a connection is established. So a single cleartext listener
port can be used to handle both cleartext sessions and TLS-encrypted
sessions. This approach is more flexible, as it doesn't require a
dedicated listener port for encrypted sessions.
Once the encrypted session has been established, there's no difference
between
the two methods.
> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> Sent: Sat 6/15/2002 9:33 PM
> To: Benoit LEROYER
> Cc: Informations; openldap-software@OpenLDAP.org
> Subject: Re: TSL / SSL
> At 10:07 AM 2002-06-14, Benoit LEROYER wrote:
> >What is the difference between starttls et ldaps ?
>
> Start TLS (RFC 2830) is the standard track mechanism,
> an LDAP operation, used in to establish TLS.
>
> ldaps:// is a deprecated, non-standard track mechanism
> for establishing TLS based upon mutually agreed upon
> TCP service ports.
>
> OpenLDAP supports both mechanisms.
>
> Kurt
>
>
>
>
> >Kurt D. Zeilenga wrote:
> >
> >>At 09:46 AM 2002-06-14, Informations wrote:
> >>
> >>>if i use only ldaps protocol (openldap compiled with openssl)
> with crypt Userpassword, is-it secure ?
> >>>if not what is the better solution ?
> >>Better, as in stronger? The strongest authentication
> >>mechanism supported by OpenLDAP is StartTLS+SASL/EXTERNAL.
> >>
> >
> >
> >--
> >------------------------------------------
> >Benoit LEROYER - G.I.D.E (benoit@gide.net)
> >Tél : 02.40.89.92.87
> >Web : http://www.gide.net
> >------------------------------------------
>
>
>