Yes it certainly is. Thanks, Sam! On Tuesday, January 7, 2014 4:15:25 PM UTC-8, Stephen Gallagher wrote: > > On 01/07/2014 06:35 PM, [email protected] <javascript:> wrote: > > Hi Sam. Thanks for looking at the LDAP config. I've never quite > > understood it fully. > > > > If you don't mind I'd like to ask a related question: Do you know what > > the "use TLS for authentication" button does exactly ? I thought that if > > you wanted ldap/s you just supplied an ldaps://<url>:636 specification > > in the LDAP server field. At least that seems to work. > > > > Maybe that button causes an ldap:// url to use port 636 instead of 389 ? > > > > If you know that's great otherwise I'll dig into that part of the code > :-) > > > > LDAPS is not TLS. It's a common misconception. LDAPS is the LDAP > protocol wrapped in an SSL layer. This requires a separate port (636) > because SSL cannot be negotiated on the same port as a non-SSL connection. > > However, LDAP+TLS can occur on the same port as non-encrypted LDAP. What > happens is that it first initiates a connection to the socket and then > issues a START_TLS command against the LDAP server, which does the > security negotiation and then encrypts all further communication with > the server. (LDAP servers can be configured fairly easily to disallow > any operational commands from working except when wrapped in TLS). > > So they're similar, but not the same. That checkbox basically means "I'm > using the ldap:// protocol, make sure I send START_TLS", whereas just > providing LDAPS:// in the LDAP Server field will occur on an SSL port. > > In case you're wondering, TLS is the generally-recommended approach in > LDAP (and LDAPS is officially "deprecated", but with no plans to > actually retire it because it's in heavy use). TLS is the successor to > SSL for over-the-internet encryption. > > > I hope this has been enlightening. > >
-- Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/ --- Sign up for Review Board hosting at RBCommons: https://rbcommons.com/ --- Happy user? Let us know at http://www.reviewboard.org/users/ --- You received this message because you are subscribed to the Google Groups "reviewboard" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
