[Fedora-directory-users] Preferred authentication mechanism - LDAPS or startTLS
Edward Capriolo
edlinuxguru at gmail.com
Wed Apr 9 23:14:03 UTC 2008
start tls is an extended operation. Your ldap server may not support
it. With start TLS part of the conversion happens unencrypted.
On Wed, Apr 9, 2008 at 6:37 PM, Michael Ströder <michael at stroeder.com> wrote:
> Chun Tat David Chu wrote:
>
> >
> > I'm currently looking into LDAP authentication and would like to know
> about what is the preferred authentication mechanism. If I want to use TLS
> for authentication, should I use LDAPS or startTLS?
> >
>
> Both are not client authentication mechs if you don't use client
> certificates. In most deployments the SSL/TLS protocol provides server
> authentication and an encrypted data communication channel.
>
>
>
> > I surfed on the Internet, and it appears that startTLS should be
> deprecating LDAPS but a lot of people are still using LDAPS today.
> >
>
> I'd simply support both. LDAPS has the advantage that you can really
> mandate that the client must successfully establish an encrypted channel
> *before* sending any LDAP PDU with possibly confidential information.
>
> Ciao, Michael.
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
More information about the Fedora-directory-users
mailing list