>I personally feel more comfortable having LDAP on an SSL port only, then >I know there is no way my server can be accessed accidently without >encryption in place.
Call me paranoid, but I completely agree. Especially since the primary purpose of auth_ldap is authentication, ie. userid's and passwords and constantly being passed on the wire. >This doesn't mean that APR-util doesn't support the concept of starting >and stopping tls, it only means that util_ldap doesn't choose to use >this option. So we should probably split start_tls out from apr_ldap_ssl_init() into it's own API. This way some other module or application built on top of apr-util will have the ability to start and stop TLS at will. Brad >>> [EMAIL PROTECTED] Thursday, January 06, 2005 2:18 PM >>> Brad Nicholes wrote: > I guess I am still a little unclear on what the advantage is to using > ldap:// + start_tls vs. ldaps://. The end result is the same except > that you have a secure connection to the LDAP server on 389 rather than > 636. Is that the only reason? Apparently ldap:// + STARTTLS is a standard, and ldaps:// is not a standard (although it's universally supported). The end result of both methods is the same - a secure connection. I personally feel more comfortable having LDAP on an SSL port only, then I know there is no way my server can be accessed accidently without encryption in place. But others want to use STARTTLS, and if it's technically possible, I see no reason to stop them. > Something to think about - what about ldap connection caching? Are the > ldap://+start_tls connections cached separately from ldap:// and > ldaps:// connections? No - there is just one cache of connections. SSL/TLS is negotiated when the connection is first established, and remains that way until the connection is closed. Whether the initial negotiation was SSL or STARTTLS makes no difference, once util_ldap has said STARTTLS it doesn't stop TLS again until the connection is disposed of. This doesn't mean that APR-util doesn't support the concept of starting and stopping tls, it only means that util_ldap doesn't choose to use this option. Regards, Graham --
