[Fedora-directory-users] FDS with TLS/SSL Port issue

[Howard Chu]

> Date: Thu,  9 Nov 2006 18:52:58 -0600
> From: Greg Hetrick <ghetrick at minderaser.org>

> New to FDS/LDAP doing a proof of concept and I have FDS 1.0.4  
> installed with SSL enabled on the DS side, TLS enabled on a FC 6  
> client. In ldap config I have TLS_REQCERT required.
> 
> Question is, should ldap traffic generated from the client to the  
> server pass on port 636 or port 389, I am seeing traffic that is  
> supposed to be encrypted passing on the regular ldap port (389).

ldaps:// uses port 636 by default. That's the non-standard method of 
using LDAP over SSL that was common with LDAPv2. The connection has 
SSL/TLS enabled on it from the moment the connection opens.

LDAPv3 uses port 389 by default. Connections are always opened in the 
clear. Then the StartTLS Extended Operation is issued by the client, and 
an SSL/TLS layer is added to the connection.

> I am seeing what appears to be correct in the access logs during the  
> communication indicating that the traffic is in fact encrypted.

Your log clearly shows StartTLS being used, successfully. Looks normal.

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   OpenLDAP Core Team            http://www.openldap.org/project/