skalyanasundaram writes:
> I am trying to make client program which should work for both openldap
> and as well as eDirectory. I am going to use openldap APIs only. My
> situation is the server can be configured either to "use TLS for simple
> bind with password" or not to use. So the client user knows what the
> server has (TLS or not). Based on that he will mention the options
> through the command line (port number 389 or 636) and boolean for use ssl
> or not.
>
> What is the difference between TLS/SSL.
Well, they are the same protocol, but the terms are sometimes used
differently.
The LDAP protocol (which by default is on port 389) supports an LDAP
request named StartTLS: After the client sends StartTLS and the server
responds with Success, the client and server switch from talking the
LDAP protocol to talking the TLS protocol on the connection. They
establish TLS encryption on the connection, and then resume talking the
LDAP protocol "inside" the TLS protocol.
There is also an LDAPS ("LDAP over SSL") protocol which by default is on
port 636. This is just like the above, but connections start with the
TLS protocol right away, as if the client and server had already
exchanged a StartTLS request and response. (Well, one difference: You
can revert to no TLS in the LDAP protocol, but not in the LDAPS
protocol.)
So:
> Is it possible to create TLS connection on both the port 389, 636.
Yes...
> 389 is the clear text port. how the TLS works here?
Send a StartTLS request, and if the server responds with Success,
switch to TLS.
> TLS works on 636?
Yup.
> (...)
> static int ldap_port = 636;
> (...)
> if ((ld = ldap_init (ldap_server, ldap_port)) == NULL)
This does not work. Programs (including ldap_init) normally do not
deduce the protocol from the port number. It's the other way around:
One deduces the _default_ port number from the protocol. What you are
doing here is to override the default port number for LDAP and try to
talk the LDAP protocol to port 636, which presumably is expecting the
TLS protocol.
If your program instead takes an URL (ldap://host/ or ldaps://host/),
you can use ldap_initialize(&ld, URL) and get the right protocol and
port number automatically. And if you also want to support TLS on
the LDAP port, you can take some argument (OpenLDAP uses -Z) which
means that you'll call ldap_start_tls_s().
--
Regards,
Hallvard
---
You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
