start tls is an extended operation. Your ldap server may not support it. With start TLS part of the conversion happens unencrypted. On Wed, Apr 9, 2008 at 6:37 PM, Michael Str?der <michael at stroeder.com> wrote: > Chun Tat David Chu wrote: > > > > > I'm currently looking into LDAP authentication and would like to know > about what is the preferred authentication mechanism. If I want to use TLS > for authentication, should I use LDAPS or startTLS? > > > > Both are not client authentication mechs if you don't use client > certificates. In most deployments the SSL/TLS protocol provides server > authentication and an encrypted data communication channel. > > > > > I surfed on the Internet, and it appears that startTLS should be > deprecating LDAPS but a lot of people are still using LDAPS today. > > > > I'd simply support both. LDAPS has the advantage that you can really > mandate that the client must successfully establish an encrypted channel > *before* sending any LDAP PDU with possibly confidential information. > > Ciao, Michael. > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
