* Bennett, Tony - CNF (Bennett.Tony@cnf.com) wrote: > It is my understanding that when a client connects > to a server using ldaps://.... instead of ldap://... > then a TLS session is first negotiated with the server, > then the client uses whatever "method" is specified... This isn't really accurate. ldaps is for SSL sessions. TLS is used on the regular ldap:// port and is a way to 'upgrade' a connection to encrypted. > i.e. it could use authentication... "simple", "sasl", "Kerberos", etc. Yes, this is correct, TLS/SSL are transport-level in general. You can use TLS and SASL/External to use TLS for authentication too but you don't have to. > There isn't a "tls-simple" authentication method. Not sure what you mean here. You could certainly use TLS or SSL and simple authentication if you want. I've been doing it all day today testing some things out. :) > I've used ldapsearch on an AIX system to connect to > Active Directory LDAP server on a Windows System using a > "ldaps://..." URI to identify Active Directory, and > specified "-x" to use simple authentication > instead of SASL. > > I no longer have a TLS enabled ActiveDirectory domain, > but here's a trace of an attempt to run ldapsearch against If you're using ldaps it's going to try and do a SSL connection, yes. Stephen
Attachment:
pgpmGj0RmbIVl.pgp
Description: PGP signature