[Fedora-directory-users] Preferred authentication mechanism - LDAPS or startTLS
Michael Ströder
michael at stroeder.com
Wed Apr 9 22:37:44 UTC 2008
Chun Tat David Chu wrote:
>
> I'm currently looking into LDAP authentication and would like to know
> about what is the preferred authentication mechanism. If I want to use
> TLS for authentication, should I use LDAPS or startTLS?
Both are not client authentication mechs if you don't use client
certificates. In most deployments the SSL/TLS protocol provides server
authentication and an encrypted data communication channel.
> I surfed on the Internet, and it appears that startTLS should be
> deprecating LDAPS but a lot of people are still using LDAPS today.
I'd simply support both. LDAPS has the advantage that you can really
mandate that the client must successfully establish an encrypted channel
*before* sending any LDAP PDU with possibly confidential information.
Ciao, Michael.
More information about the Fedora-directory-users
mailing list