Hi Aneela - It seems like startTLS support would be something that good to provide support for in Knox. I really can't say that I know whether it is being properly protected through Knox's use of Shiro inside the shiro authentication provider.
>From the brief investigation that I have done - it looks like that should work. I think the best way to tell for sure would be to use a network sniffer to capture the packets to 389 and make sure that they are not in the clear. We would welcome contributions for enabling startTLS from the code or even docs perspective! Thanks for your continued interest and contributions to Knox! --larry On Tue, Jul 21, 2015 at 6:04 AM, Aneela Saleem <[email protected]> wrote: > Hi Kevin, > > As I said earlier, startTLS uses ldap:/// protocol instead of ldaps:/// > that's why I uses LDAP:/// in Knox configuration. > > Regards, > Aneela Saleem > On Jul 20, 2015 8:08 PM, "Kevin Minder" <[email protected]> > wrote: > >> Hi Annela, >> To be totally honest with your I’m not certain. My concern is that since >> your configuration uses “ldap://“ that the connection is somehow falling >> back to a non-secure protocol. Is there a specific reason you haven’t >> changed your Knox configuration to “ldaps://“? >> Kevin. >> >> From: Aneela Saleem >> Reply-To: "[email protected]" >> Date: Wednesday, July 15, 2015 at 3:40 PM >> To: "[email protected]" >> Subject: Knox - LDAP authetication over startTLS >> >> Hi all, >> >> I have implemented LDAP with startTLS, that refers to an existing LDAP >> session (listening on TCP port 389) becoming protected by TLS/SSL instead >> of *ldaps:///* listening on port 636. >> >> So does knox still considers it an SSL secured LDAP connection, even i >> have given LDAP service value being i.e., *ldap://localhost ?* >> >
