No, it's not. If a Windows AD DC is listening on port 636/tcp, it can safely be assumed that SSL is running, unless someone has mucked around with the Registry and changed the default ports.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Howard Chu Sent: Thursday, November 26, 2009 2:02 AM To: LDAP list Subject: [ldap] Re: ldap ssl MS AD > From: Simon Walter<[email protected]> > Date: Thu, 26 Nov 2009 09:37:47 +0900 > Dustin Puryear wrote: >> If you connect to port 636/tcp on a DC via ldp.exe then SSL is enabled. That's assuming quite a lot, since port 636 is not officially reserved for SSL use in any IETF/IANA registry. > OK that's good news. So since I can connect with ldp.exe, what should I > be doing to connect via ldapsearch? This is what I've tried: > > $ ldapsearch -W -LLL -E pr=200/noprompt -h adserver -p 636 -D > "[email protected]" -b "dc=domain, dc=com" -s sub "(cn=*)" cn mail sn > > Should it work? No. Specifying the port number only does that, it doesn't turn on SSL at all. (Nor should it. The Microsoft tools are, as usual, playing fast and loose with the LDAP specs.) The way to get SSL is to use a URI, and stop using the old/deprecated -h and -p options. Read the ldapsearch(1) manpage. ldapsearch -H ldaps://adserver:636 > There was one thing I was not sure of, do I need to > install a certificate on the client? That was never very clear to me in > what I've read so far. Then you haven't been reading the right docs. Try this instead: http://www.openldap.org/doc/admin24/tls.html -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
