httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Auth LDAP ssl/tls differences
Date Tue, 04 Jan 2005 19:40:01 GMT
It seems that our support for ssl/tls with mod_ldap is considerably
confusing and frustrating for users.  The recent interest in fixing
support for the Solaris/Netscape/Mozilla library reminded me of the
fact that we need to finish thinking this through.

Fast summary for those less familiar; there are two SSL schemas
for LDAP communications.

 . Solaris/Netscape/Mozilla support is based on explicit SSLv3
   connection to the ldaps:// port, 636.

 . OpenLDAP supports ldaps://, it also supports STARTTLS
   protocol over port 389.  STARTTLS should not be invoked by
   the scheme ldaps:// (it's a semantic error - ldaps:// should
   not refer to an upgraded SSL connection, and would imply
   port 636 which is not correct for this protocol.)

The correct scheme/port for STARTTLS LDAP connections is
ldap:// with port 389 implicit.  We need a mechanism to clarify
to mod_ldap that TLS security is desired.

Incident http://issues.apache.org/bugzilla/show_bug.cgi?id=31443
offers a solution which we should consider adopting.  As I was
asking for some offline feedback - Graham mentioned that some
implementations use the URL to specify that STARTTLS is desired.
But without some references the proposal seems to be a better
option - we shouldn't be redefining the ldap:// URI space.

Does anyone have any references to specifying STARTTLS as part
of the URI to the ldap server?  Any other comments on this patch
before I integrate into httpd-2.1?

Bill




Mime
View raw message