[Date Prev][Date Next] [Chronological] [Thread] [Top]

Should slurpd also support LDAPS without start_tls?



Hi,

Am I correct in thinking that OpenLDAP slurpd relies on the LDAP V3
start_tls extended operation to perform LDAP/SSL and can't use the ldaps://
mechanisms supported by ldapsearch, ldapmodify etc.?

I'm having trouble using slurpd to replicate to an Active Directory Server
(based on a transformed changelog). I think it's because AD with W2K
doesn't support start_tls. (It certainly doesn't list the start_tls
supported extension 1.3.6.1.4.1.1466.20037, and I can't get start_tls
working even from ldapsearch).

If I've understood this correctly, what I'm wondering is if ldaps:// type
support for LDAP/SSL on port 636 should be added to slurpd so that it can
deal with other LDAP directories that don't support start_tls.

If ldapsearch, ldapmodify supports both start_tls (-Z option) and LDAP/SSL
(-H ldaps:// option)  mechanisms then why not slurpd?

I need to use LDAP/SSL because certain operations such as AD password reset
must be over LDAP/SSL on port 636 and won't work  with LDAP on 389. I'd
like to use start_tls because it's standard, but I can't with AD.

Maybe the replica bit of slapd.conf should have a "ssl=yes" option as an
alternative to "tls=yes" in which case it would do an ldaps:// style bind.
I've made this mod in slurpd to test it out. The changes are very small.

Comments appreciated.

Mark.