>> I'd simply support both. LDAPS has the advantage that you can really mandate that the client must successfully establish an encrypted channel *before* sending any LDAP PDU with possibly confidential information.
Thanks for your info. I probably will support both LDAPS and startTLS in my deployment.
>> start tls is an extended operation. Your ldap server may not support it. With start TLS part of the conversion happens unencrypted.
Yup, fortunely Fedora DS supports startTLS. :-)
- David
On Wed, Apr 9, 2008 at 7:14 PM, Edward Capriolo <edlinuxguru@xxxxxxxxx> wrote:
start tls is an extended operation. Your ldap server may not support
it. With start TLS part of the conversion happens unencrypted.
On Wed, Apr 9, 2008 at 6:37 PM, Michael Ströder <michael@xxxxxxxxxxxx> wrote:
> Chun Tat David Chu wrote:
>
> >
> > I'm currently looking into LDAP authentication and would like to know
> about what is the preferred authentication mechanism. If I want to use TLS
> for authentication, should I use LDAPS or startTLS?
> >
>
> Both are not client authentication mechs if you don't use client
> certificates. In most deployments the SSL/TLS protocol provides server
> authentication and an encrypted data communication channel.
>
>
>
> > I surfed on the Internet, and it appears that startTLS should be
> deprecating LDAPS but a lot of people are still using LDAPS today.
> >
>
> I'd simply support both. LDAPS has the advantage that you can really
> mandate that the client must successfully establish an encrypted channel
> *before* sending any LDAP PDU with possibly confidential information.
>
> Ciao, Michael.
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
