RE: TLS or plain?

["Bennett, Tony - CNF" <Bennett.Tony@cnf.com>]

Yes "LDAP on top of SSL/TLS layer (out-of-band 
encryption tunnel usually on separate port) vs. using StartTLS extended 
operation in an existing LDAPv3 connection (negotiating encryption tunnel 
in-band)." is correct.

That is because I had to authenticate via ActiveDirectory,
and ActiveDirectory doesn't support "StartTLS extended operation".
(See: "Possible Issues" on
http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b321051 ).



-tony

-----Original Message-----
From: Michael Ströder [mailto:michael@stroeder.com] 
Sent: Monday, July 21, 2003 10:21 AM
To: Stephen Frost
Cc: openldap-software@OpenLDAP.org
Subject: Re: TLS or plain?


Stephen Frost wrote:
> * Bennett, Tony - CNF (Bennett.Tony@cnf.com) wrote:
> 
>>It is my understanding that when a client connects
>>to a server using ldaps://.... instead of ldap://...
>>then a TLS session is first negotiated with the server,
>>then the client uses whatever "method" is specified...
> 
> This isn't really accurate.  ldaps is for SSL sessions.  TLS is used 
> on the regular ldap:// port and is a way to 'upgrade' a connection to 
> encrypted.

*Your* explanation isn't really accurate.

You probably are talking about LDAP on top of SSL/TLS layer (out-of-band 
encryption tunnel usually on separate port) vs. using StartTLS extended 
operation in an existing LDAPv3 connection (negotiating encryption tunnel 
in-band).

TLSv1 is the sucessor of SSLv3 standardized by the IETF (SSL was a 
proprietary protocol developed by Netscape) and it has nothing to do with 
LDAP in the first place. If you use ldaps:// depending on the client and 
server configuration you can either use SSL or TLS.

Ciao, Michael.