[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldaps://
Hi,
On Wednesday 16 October 2002 12:11, you wrote:
> So ldaps:// (using port 636) is deprecated and shouldn't be used anymore
> correct ? The new way is to go with TLS which will anyway run via ldap://
> (port 389) ?
LDAPS never was part of the official LDAP standard, while startTLS is
a part of the official LDAPv3 standard.
So the support for LDAPS may someday go away from OpenLDAP,
while the support for start_tls will stay longer.
So, it's up to you to decide.
Technically LDAPS opens an encrypted connection and then does LDAP over it.
> I am also asking this because I've setted up my OpenLDAP with the
> TLSCertificates paramters, then did an ldapsearch using -ZZ and was
> surprised to see that it still used the port 389 for encrypted sessions and
> unencrypted sessions...
> Is that normal ?
Yes !
start_tls converts an already open unencrypted LDAP connection into a
encrypted connection. So the port stays the same, since the connection
is the same, only the transferred data change ,-)))
> Also is there a way to dissallow unencrypted sessions, allowing only
> encrypted sessions using TLS ?
Look for security and/or ssf in slapd.conf(5)
CU
Peter
--
Peter Marschall | eMail: peter.marschall@mayn.de
Scheffelstraße 15 | peter.marschall@is-energy.de
97072 Würzburg | Tel: 0931/14721
PGP: D7 FF 20 FE E6 6B 31 74 D1 10 88 E0 3C FE 28 35