I guess I am still a little unclear on what the advantage is to using
ldap:// + start_tls vs. ldaps://. The end result is the same except
that you have a secure connection to the LDAP server on 389 rather than
636. Is that the only reason? Administrators don't want to open a
dedicated SSL
At 10:12 AM 1/6/2005, Brad Nicholes wrote:
I guess I am still a little unclear on what the advantage is
to using ldap:// + start_tls vs. ldaps://. The end result
is the same except that you have a secure connection to the LDAP
server on 389 rather than 636. Is that the only reason?
HTH,
-tony
-Original Message-
From: Brad Nicholes [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 06, 2005 8:13 AM
To: dev@httpd.apache.org; [EMAIL PROTECTED]
Subject: Re: Auth LDAP ssl/tls differences
I guess I am still a little unclear on what the advantage is to using
ldap
Bennett, Tony - CNF wrote:
Regarding LDAP, Apache is a client which must adhere to how
the LDAP server is configured, be that a secure port (ldaps://)
or via an unsecure connection (ldap://) that can be upgraded with
a StartTLS. It appears, from the OpenLdap perspective, that
use of ldaps:// is
Brad Nicholes wrote:
I guess I am still a little unclear on what the advantage is to using
ldap:// + start_tls vs. ldaps://. The end result is the same except
that you have a secure connection to the LDAP server on 389 rather than
636. Is that the only reason?
Apparently ldap:// + STARTTLS
At 03:18 PM 1/6/2005, Graham Leggett wrote:
Brad Nicholes wrote:
I guess I am still a little unclear on what the advantage is to using
ldap:// + start_tls vs. ldaps://. The end result is the same except
that you have a secure connection to the LDAP server on 389 rather than
636. Is that
I personally feel more comfortable having LDAP on an SSL port only,
then
I know there is no way my server can be accessed accidently without
encryption in place.
Call me paranoid, but I completely agree. Especially since the primary
purpose of auth_ldap is authentication, ie. userid's and
At 05:19 PM 1/6/2005, Brad Nicholes wrote:
This doesn't mean that APR-util doesn't support the concept of
starting
and stopping tls, it only means that util_ldap doesn't choose to use
this option.
So we should probably split start_tls out from apr_ldap_ssl_init() into
it's own API. This way
Off the top of my head, performance. Maybe you really only need a
secure connection during the bind but after that switching back to an
unsecure connection would perform better. Maybe you want to hold a
connection pool of LDAP connections that can be used to transfer
sensitive information or
William A. Rowe, Jr. said:
The correct scheme/port for STARTTLS LDAP connections is
ldap:// with port 389 implicit. We need a mechanism to clarify
to mod_ldap that TLS security is desired.
I have just taught's apr-utils' apr_ldap_init() function to handle
STARTTLS in addition to SSL (or no
It seems that our support for ssl/tls with mod_ldap is considerably
confusing and frustrating for users. The recent interest in fixing
support for the Solaris/Netscape/Mozilla library reminded me of the
fact that we need to finish thinking this through.
Fast summary for those less familiar;
On Jan 4, 2005, at 2:40 PM, William A. Rowe, Jr. wrote:
Incident http://issues.apache.org/bugzilla/show_bug.cgi?id=31443
offers a solution which we should consider adopting. As I was
asking for some offline feedback - Graham mentioned that some
implementations use the URL to specify that STARTTLS
William A. Rowe, Jr. said:
Incident http://issues.apache.org/bugzilla/show_bug.cgi?id=31443
offers a solution which we should consider adopting. As I was
asking for some offline feedback - Graham mentioned that some
implementations use the URL to specify that STARTTLS is desired.
But
13 matches
Mail list logo