Yes it certainly is. Thanks, Sam!

On Tuesday, January 7, 2014 4:15:25 PM UTC-8, Stephen Gallagher wrote:
>
> On 01/07/2014 06:35 PM, markd...@gmail.com <javascript:> wrote: 
> > Hi Sam. Thanks for looking at the LDAP config. I've never quite 
> > understood it fully. 
> > 
> > If you don't mind I'd like to ask a related question: Do you know what 
> > the "use TLS for authentication" button does exactly ? I thought that if 
> > you wanted ldap/s you just supplied an ldaps://<url>:636 specification 
> > in the LDAP server field. At least that seems to work. 
> > 
> > Maybe that button causes an ldap:// url to use port 636 instead of 389 ? 
> > 
> > If you know that's great otherwise I'll dig into that part of the code 
> :-) 
> > 
>
> LDAPS is not TLS. It's a common misconception. LDAPS is the LDAP 
> protocol wrapped in an SSL layer. This requires a separate port (636) 
> because SSL cannot be negotiated on the same port as a non-SSL connection. 
>
> However, LDAP+TLS can occur on the same port as non-encrypted LDAP. What 
> happens is that it first initiates a connection to the socket and then 
> issues a START_TLS command against the LDAP server, which does the 
> security negotiation and then encrypts all further communication with 
> the server. (LDAP servers can be configured fairly easily to disallow 
> any operational commands from working except when wrapped in TLS). 
>
> So they're similar, but not the same. That checkbox basically means "I'm 
> using the ldap:// protocol, make sure I send START_TLS", whereas just 
> providing LDAPS:// in the LDAP Server field will occur on an SSL port. 
>
> In case you're wondering, TLS is the generally-recommended approach in 
> LDAP (and LDAPS is officially "deprecated", but with no plans to 
> actually retire it because it's in heavy use). TLS is the successor to 
> SSL for over-the-internet encryption. 
>
>
> I hope this has been enlightening. 
>
>

-- 
Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/
---
Sign up for Review Board hosting at RBCommons: https://rbcommons.com/
---
Happy user? Let us know at http://www.reviewboard.org/users/
--- 
You received this message because you are subscribed to the Google Groups 
"reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to