On 01/07/2014 06:35 PM, markdbe...@gmail.com wrote:
> Hi Sam. Thanks for looking at the LDAP config. I've never quite
> understood it fully.
> If you don't mind I'd like to ask a related question: Do you know what
> the "use TLS for authentication" button does exactly ? I thought that if
> you wanted ldap/s you just supplied an ldaps://<url>:636 specification
> in the LDAP server field. At least that seems to work.
> Maybe that button causes an ldap:// url to use port 636 instead of 389 ?
> If you know that's great otherwise I'll dig into that part of the code :-)
LDAPS is not TLS. It's a common misconception. LDAPS is the LDAP
protocol wrapped in an SSL layer. This requires a separate port (636)
because SSL cannot be negotiated on the same port as a non-SSL connection.
However, LDAP+TLS can occur on the same port as non-encrypted LDAP. What
happens is that it first initiates a connection to the socket and then
issues a START_TLS command against the LDAP server, which does the
security negotiation and then encrypts all further communication with
the server. (LDAP servers can be configured fairly easily to disallow
any operational commands from working except when wrapped in TLS).
So they're similar, but not the same. That checkbox basically means "I'm
using the ldap:// protocol, make sure I send START_TLS", whereas just
providing LDAPS:// in the LDAP Server field will occur on an SSL port.
In case you're wondering, TLS is the generally-recommended approach in
LDAP (and LDAPS is officially "deprecated", but with no plans to
actually retire it because it's in heavy use). TLS is the successor to
SSL for over-the-internet encryption.
I hope this has been enlightening.
Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/
Sign up for Review Board hosting at RBCommons: https://rbcommons.com/
Happy user? Let us know at http://www.reviewboard.org/users/
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
For more options, visit https://groups.google.com/groups/opt_out.