[CentOS] LDAP authentication on a remote server (via ldaps://) [SOLVED]

Wed Oct 6 21:27:08 UTC 2010
Miguel Medalha <miguelmedalha at sapo.pt>

>> Are you aware that SSL on port 636 is now considered deprecated in favor of
>> START_TLS on port 389?
> No, I'm not (I actually thought that it was the other way round)
> (...)
> What are the pro and cons of both approaches?
> Comments more than welcome

You can, as an example, consult the Wikipedia article on LDAP. It states:



The StartTLS operation establishes Transport Layer Security (the 
descendant of SSL) on the connection. It can provide data 
confidentiality (to protect data from being observed by third parties) 
and/or data integrity protection (which protects the data from 
tampering). During TLS negotiation the server sends its X.509  
certificate to prove its identity. The client may also send a 
certificate to prove its identity. After doing so, the client may then 
use SASL/EXTERNAL. By using the SASL/EXTERNAL, the client requests the 
server derive its identity from credentials provided at a lower level 
(such as TLS). Though technically the server may use any identity 
information established at any lower level, typically the server will 
use the identity information established by TLS.

Servers also often support the non-standard "LDAPS" ("Secure LDAP", 
commonly known as "LDAP over SSL") protocol on a separate port, by 
default 636. LDAPS differs from LDAP in two ways: 1) upon connect, the 
client and server establish TLS before any LDAP messages are transferred 
(without a StartTLS operation) and 2) the LDAPS connection must be 
closed upon TLS closure.

LDAPS was used with LDAPv2, because the StartTLS operation had not yet 
been defined. The use of LDAPS is deprecated, and modern software should 
only use StartTLS .



A quick search will provide plenty of articles about the subject.