On 01/07/2014 06:35 PM, markdbe...@gmail.com wrote: > Hi Sam. Thanks for looking at the LDAP config. I've never quite > understood it fully. > > If you don't mind I'd like to ask a related question: Do you know what > the "use TLS for authentication" button does exactly ? I thought that if > you wanted ldap/s you just supplied an ldaps://<url>:636 specification > in the LDAP server field. At least that seems to work. > > Maybe that button causes an ldap:// url to use port 636 instead of 389 ? > > If you know that's great otherwise I'll dig into that part of the code :-) >
LDAPS is not TLS. It's a common misconception. LDAPS is the LDAP protocol wrapped in an SSL layer. This requires a separate port (636) because SSL cannot be negotiated on the same port as a non-SSL connection. However, LDAP+TLS can occur on the same port as non-encrypted LDAP. What happens is that it first initiates a connection to the socket and then issues a START_TLS command against the LDAP server, which does the security negotiation and then encrypts all further communication with the server. (LDAP servers can be configured fairly easily to disallow any operational commands from working except when wrapped in TLS). So they're similar, but not the same. That checkbox basically means "I'm using the ldap:// protocol, make sure I send START_TLS", whereas just providing LDAPS:// in the LDAP Server field will occur on an SSL port. In case you're wondering, TLS is the generally-recommended approach in LDAP (and LDAPS is officially "deprecated", but with no plans to actually retire it because it's in heavy use). TLS is the successor to SSL for over-the-internet encryption. I hope this has been enlightening. -- Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/ --- Sign up for Review Board hosting at RBCommons: https://rbcommons.com/ --- Happy user? Let us know at http://www.reviewboard.org/users/ --- You received this message because you are subscribed to the Google Groups "reviewboard" group. To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
