httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <>
Subject Re: Auth LDAP ssl/tls differences
Date Thu, 06 Jan 2005 21:18:10 GMT
Brad Nicholes wrote:

>    I guess I am still a little unclear on what the advantage is to using
> ldap:// + start_tls  vs.  ldaps://.  The end result is the same except
> that you have a secure connection to the LDAP server on 389 rather than
> 636.  Is that the only reason?

Apparently ldap:// + STARTTLS is a standard, and ldaps:// is not a 
standard (although it's universally supported). The end result of both 
methods is the same - a secure connection.

I personally feel more comfortable having LDAP on an SSL port only, then 
I know there is no way my server can be accessed accidently without 
encryption in place. But others want to use STARTTLS, and if it's 
technically possible, I see no reason to stop them.

> Something to think about - what about ldap connection caching?  Are the
> ldap://+start_tls connections cached separately from ldap://  and
> ldaps:// connections?

No - there is just one cache of connections. SSL/TLS is negotiated when 
the connection is first established, and remains that way until the 
connection is closed. Whether the initial negotiation was SSL or 
STARTTLS makes no difference, once util_ldap has said STARTTLS it 
doesn't stop TLS again until the connection is disposed of.

This doesn't mean that APR-util doesn't support the concept of starting 
and stopping tls, it only means that util_ldap doesn't choose to use 
this option.


View raw message