No, it's not. If a Windows AD DC is listening on port 636/tcp, it can
safely be assumed that SSL is running, unless someone has mucked around
with the Registry and changed the default ports.

-----Original Message-----
From: bounce-ldap-3356...@listserver.itd.umich.edu
[mailto:bounce-ldap-3356...@listserver.itd.umich.edu] On Behalf Of
Howard Chu
Sent: Thursday, November 26, 2009 2:02 AM
To: LDAP list
Subject: [ldap] Re: ldap ssl MS AD

> From: Simon Walter<simon.wal...@hokkaidotracks.com>
> Date: Thu, 26 Nov 2009 09:37:47 +0900

> Dustin Puryear wrote:
>> If you connect to port 636/tcp on a DC via ldp.exe then SSL is
enabled.

That's assuming quite a lot, since port 636 is not officially reserved
for SSL 
use in any IETF/IANA registry.

> OK that's good news. So since I can connect with ldp.exe, what should
I
> be doing to connect via ldapsearch? This is what I've tried:
>
> $ ldapsearch -W -LLL -E pr=200/noprompt -h adserver -p 636 -D
> "u...@domain.com" -b "dc=domain, dc=com" -s sub "(cn=*)" cn mail sn
>
> Should it work?

No. Specifying the port number only does that, it doesn't turn on SSL at
all. 
(Nor should it. The Microsoft tools are, as usual, playing fast and
loose with 
the LDAP specs.) The way to get SSL is to use a URI, and stop using the 
old/deprecated -h and -p options. Read the ldapsearch(1) manpage.

    ldapsearch -H ldaps://adserver:636

> There was one thing I was not sure of, do I need to
> install a certificate on the client? That was never very clear to me
in
> what I've read so far.

Then you haven't been reading the right docs. Try this instead:

http://www.openldap.org/doc/admin24/tls.html

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/




Reply via email to