> Date: Thu, 9 Nov 2006 18:52:58 -0600 > From: Greg Hetrick <ghetrick at minderaser.org> > New to FDS/LDAP doing a proof of concept and I have FDS 1.0.4 > installed with SSL enabled on the DS side, TLS enabled on a FC 6 > client. In ldap config I have TLS_REQCERT required. > > Question is, should ldap traffic generated from the client to the > server pass on port 636 or port 389, I am seeing traffic that is > supposed to be encrypted passing on the regular ldap port (389). ldaps:// uses port 636 by default. That's the non-standard method of using LDAP over SSL that was common with LDAPv2. The connection has SSL/TLS enabled on it from the moment the connection opens. LDAPv3 uses port 389 by default. Connections are always opened in the clear. Then the StartTLS Extended Operation is issued by the client, and an SSL/TLS layer is added to the connection. > I am seeing what appears to be correct in the access logs during the > communication indicating that the traffic is in fact encrypted. Your log clearly shows StartTLS being used, successfully. Looks normal. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
