Dustin Puryear wrote:
No, it's not. If a Windows AD DC is listening on port 636/tcp, it can
safely be assumed that SSL is running, unless someone has mucked around
with the Registry and changed the default ports.

That's irrelevant. ldp.exe is meant to be a generic LDAP tool. It works with other LDAP servers. Making the assumption that any LDAP server listening on port 636 is using LDAP over SSL is an unsafe assumption, particularly since (as I already mentioned) there has never been any official specification reserving port 636 for this purpose, and the use of LDAP over SSL was deprecated back in 2000. LDAPv3-compliant LDAP servers rely on StartTLS.

Of course the entire notion of reserved ports is kind of obsolete these days. That's like assuming that HTTP servers must listen on port 80, despite the myriad servers out there running on 8080, 8000, and various other randomly chosen ports. (Or the myriad other non-HTTP services usurping port 80 to bypass local firewall rules.)

-----Original Message-----
From: bounce-ldap-3356...@listserver.itd.umich.edu
[mailto:bounce-ldap-3356...@listserver.itd.umich.edu] On Behalf Of
Howard Chu
Sent: Thursday, November 26, 2009 2:02 AM
To: LDAP list
Subject: [ldap] Re: ldap ssl MS AD

From: Simon Walter<simon.wal...@hokkaidotracks.com>
Date: Thu, 26 Nov 2009 09:37:47 +0900

Dustin Puryear wrote:
If you connect to port 636/tcp on a DC via ldp.exe then SSL is
enabled.

That's assuming quite a lot, since port 636 is not officially reserved
for SSL
use in any IETF/IANA registry.

OK that's good news. So since I can connect with ldp.exe, what should
I
be doing to connect via ldapsearch? This is what I've tried:

$ ldapsearch -W -LLL -E pr=200/noprompt -h adserver -p 636 -D
"u...@domain.com" -b "dc=domain, dc=com" -s sub "(cn=*)" cn mail sn

Should it work?

No. Specifying the port number only does that, it doesn't turn on SSL at
all.
(Nor should it. The Microsoft tools are, as usual, playing fast and
loose with
the LDAP specs.) The way to get SSL is to use a URI, and stop using the
old/deprecated -h and -p options. Read the ldapsearch(1) manpage.

     ldapsearch -H ldaps://adserver:636

There was one thing I was not sure of, do I need to
install a certificate on the client? That was never very clear to me
in
what I've read so far.

Then you haven't been reading the right docs. Try this instead:

http://www.openldap.org/doc/admin24/tls.html



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Reply via email to