Sigh. Okay, not worth the argument. -----Original Message----- From: Howard Chu [mailto:h...@symas.com] Sent: Friday, November 27, 2009 3:53 PM To: Dustin Puryear Cc: LDAP list Subject: Re: [ldap] Re: ldap ssl MS AD
Dustin Puryear wrote: > No, it's not. If a Windows AD DC is listening on port 636/tcp, it can > safely be assumed that SSL is running, unless someone has mucked around > with the Registry and changed the default ports. That's irrelevant. ldp.exe is meant to be a generic LDAP tool. It works with other LDAP servers. Making the assumption that any LDAP server listening on port 636 is using LDAP over SSL is an unsafe assumption, particularly since (as I already mentioned) there has never been any official specification reserving port 636 for this purpose, and the use of LDAP over SSL was deprecated back in 2000. LDAPv3-compliant LDAP servers rely on StartTLS. Of course the entire notion of reserved ports is kind of obsolete these days. That's like assuming that HTTP servers must listen on port 80, despite the myriad servers out there running on 8080, 8000, and various other randomly chosen ports. (Or the myriad other non-HTTP services usurping port 80 to bypass local firewall rules.) > -----Original Message----- > From: bounce-ldap-3356...@listserver.itd.umich.edu > [mailto:bounce-ldap-3356...@listserver.itd.umich.edu] On Behalf Of > Howard Chu > Sent: Thursday, November 26, 2009 2:02 AM > To: LDAP list > Subject: [ldap] Re: ldap ssl MS AD > >> From: Simon Walter<simon.wal...@hokkaidotracks.com> >> Date: Thu, 26 Nov 2009 09:37:47 +0900 > >> Dustin Puryear wrote: >>> If you connect to port 636/tcp on a DC via ldp.exe then SSL is > enabled. > > That's assuming quite a lot, since port 636 is not officially reserved > for SSL > use in any IETF/IANA registry. > >> OK that's good news. So since I can connect with ldp.exe, what should > I >> be doing to connect via ldapsearch? This is what I've tried: >> >> $ ldapsearch -W -LLL -E pr=200/noprompt -h adserver -p 636 -D >> "u...@domain.com" -b "dc=domain, dc=com" -s sub "(cn=*)" cn mail sn >> >> Should it work? > > No. Specifying the port number only does that, it doesn't turn on SSL at > all. > (Nor should it. The Microsoft tools are, as usual, playing fast and > loose with > the LDAP specs.) The way to get SSL is to use a URI, and stop using the > old/deprecated -h and -p options. Read the ldapsearch(1) manpage. > > ldapsearch -H ldaps://adserver:636 > >> There was one thing I was not sure of, do I need to >> install a certificate on the client? That was never very clear to me > in >> what I've read so far. > > Then you haven't been reading the right docs. Try this instead: > > http://www.openldap.org/doc/admin24/tls.html > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
