2.3. Start TLS with ApacheDS has been edited by Emmanuel Lécharny (Nov 19, 2008).

(View changes)

Content:
Work in progress

This site is in the process of being reviewed and updated.

Introduction

With Start TLS, the client sends an extended operation to the server that says 'after you send me a positive response to this operation, flip the connection over to TLS'. Start TLS is a mechanism for avoiding the need to listen on a separate port for SSL connections.

Testing LDAP binds with TLS

The following commands perform anonymous binds with TLS.

$ ldapsearch -H ldap://ldap.example.com/ -s base -LLL supportedSASLMechanisms -x -ZZ

You can also use TLS (and SSL) with the SASL authentication mechanisms.

$ ldapsearch -H ldap://ldap.example.com -b "dc=example,dc=com" "(uid=hnelson)" -ZZ -Y DIGEST-MD5 -U hnelson -R example.com -w secret
$ ldapsearch -H ldap://ldap.example.com -b "dc=example,dc=com" "(uid=hnelson)" -ZZ -Y CRAM-MD5 -U hnelson -w secret
$ ldapsearch -H ldap://ldap.example.com -b "dc=example,dc=com" "(uid=hnelson)" -ZZ -Y GSSAPI

Note that SSL certificates may be verified, depending on the LDAP client, so you should use the FQDN of the ldap server that matches the cn in the certificate.

Resources

RFC 2830 - Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security
http://www.faqs.org/rfcs/rfc2830.html

SSL and Custom Sockets
http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html

Powered by Atlassian Confluence (Version: 2.2.9 Build:#527 Sep 07, 2006) - Bug/feature request

Unsubscribe or edit your notifications preferences