No, it's not. If a Windows AD DC is listening on port 636/tcp, it can
safely be assumed that SSL is running, unless someone has mucked around
with the Registry and changed the default ports.

-----Original Message-----
[] On Behalf Of
Howard Chu
Sent: Thursday, November 26, 2009 2:02 AM
To: LDAP list
Subject: [ldap] Re: ldap ssl MS AD

> From: Simon Walter<>
> Date: Thu, 26 Nov 2009 09:37:47 +0900

> Dustin Puryear wrote:
>> If you connect to port 636/tcp on a DC via ldp.exe then SSL is

That's assuming quite a lot, since port 636 is not officially reserved
for SSL 
use in any IETF/IANA registry.

> OK that's good news. So since I can connect with ldp.exe, what should
> be doing to connect via ldapsearch? This is what I've tried:
> $ ldapsearch -W -LLL -E pr=200/noprompt -h adserver -p 636 -D
> "" -b "dc=domain, dc=com" -s sub "(cn=*)" cn mail sn
> Should it work?

No. Specifying the port number only does that, it doesn't turn on SSL at
(Nor should it. The Microsoft tools are, as usual, playing fast and
loose with 
the LDAP specs.) The way to get SSL is to use a URI, and stop using the 
old/deprecated -h and -p options. Read the ldapsearch(1) manpage.

    ldapsearch -H ldaps://adserver:636

> There was one thing I was not sure of, do I need to
> install a certificate on the client? That was never very clear to me
> what I've read so far.

Then you haven't been reading the right docs. Try this instead:

   -- Howard Chu
   CTO, Symas Corp. 
   Director, Highland Sun
   Chief Architect, OpenLDAP

Reply via email to